Standard service tasks
Card Production
Use this task to run a search on the Nexus GO Cards ordering API to get the status of an order which was previously launched through Nexus GO Cards production. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example values: Defines the parameter name (for example orderStatus) which will contain the order status defined by the above orderId. When the status order is retrieved from Nexus GO Cards, the RFIDs readouts can have multiple entries for the same type. For example: For these cases, the first value of the same type is used (EM_HEX_LSB and EM_HEX_MSB are considered to be of the same type). Use this task to execute card productions on the server side. The service tasks supports execution of encodings via Card SDK or the JPKIEncoder integrated in Identity Manager. Printing is currently not supported. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: PcmEncProduceEmployeeCard Valid values:Description
Configuration
${caasCardOrderStatusAction}
Parameter Mandatory Value Description orderId 
This is the orderId (or requestId) provided by Nexus GO Cards when a cardOrder is placed. statusVariableKeyName EM_rfIdType - This parameter determines the variable name for the rfid of type EM. MIFARE_rfIdType - This parameter determines the variable name for the rfid of type MIFARE. HITAG_rfIdType - This parameter determines the variable name for the rfid of type HITAG. LEGIC_rfIdType - This parameter determines the variable name for the rfid of type LEGIC. CAAS_SERVICE_NOT_AVAILABLE - This parameter can be used in BPMN to react on errors regarding the CaaS Service. {
"foundCount": "1",
"order": {
"orderId": "3541415",
"created": "2018-08-29 13:51:02",
"orderStatus": "Valid",
"orderStatusId": "1",
"cardNumber": "BB-1808-636328",
"layoutId": "147424",
"productionDate": "2018-08-29",
"validThru": "2023-08-29",
"personName": "Demo, Dynamics",
"readouts": [
{
"type": "EM_HEX_LSB",
"uid": "9876543"
},
{
"type": "EM_HEX_MSB",
"uid": "12345678"
}
]
}
}
Description
Configuration
${serverSideCardOperationTask}
Parameter Mandatory Value Description encodingName Name of the encoding description to be executed cardSDK - Flag to configure if the encoding should be executed through the Identity Manager server directly or through Card SDK. Default is true, which means that the encoding is executed through Card SDK.
Certificates
Use this task to trigger a republishing or unpublishing action for a specific certificate on the Smart ID Certificate Manager (CM) based on the configured publication procedure. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Valid values: Indicates that the serial number is in decimal format already. If this field is set to "false" or left out, the serial number will be interpreted as hex format. Use this task to create an ACME pre-registration order in Smart ID Certificate Manager (CM). You need to use Smart ID Certificate Manager 8.1 or later. If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: - certificateTemplate Use this task to register or de-register CMP order requests in Smart ID Certificate Manager (CM). The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) CMP enrollment request from specified clients. This service task parameters can be extended for other certificate attributes, which are listed below. If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed. It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com" - Optional password used to verify CMP enrollment requests sent by clients later. So it will be the same password which will be used by clients in CMP enrollment request. Valid values: This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM). It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default. Valid values: Info Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below. Following attributes can be provided as single value or multiple values as comma separated values. Use this task to register or de-register Enrollment over Secure Transport (EST) order requests to Smart ID Certificate Manager (CM). The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) EST enrollment request from specified clients. This service task parameters can be extended for other certificate attributes which is listed below. If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed. It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com" - Password is used to verify EST enrollment requests sent by clients later. So it will be the same password which will be used by clients in EST enrollment request. Valid values: This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM). It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default. Valid values: Example value: Info Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below. Following attributes can be provided as single value or multiple values as comma separated values. Use this task to register or de-register Simple Certificate Enrollment Protocol (SCEP) order requests to Smart ID Certificate Manager (CM). The task will be executed on server identities and use some details of the server identities for creating order request. The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) SCEP enrolment request from specified clients. This service task parameters can be extended for other certificate attributes which is listed below. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed. It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com" Valid values: Password is used to verify SCEP enrollment requests sent by clients later. So it will be the same password which will be used by clients in SCEP enrollment request. Valid values: This value decides whether this is a registration or a de-registration order request at Smart ID Certificate Manager (CM). Set to 1000 to trigger a registration, 1001 to trigger a de-registration. Valid values: Info Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below. Following attributes can be provided as single value or multiple values as comma separated values. Use this task to send a PKCS#10 to the configured CA. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: Example value: Example value: Example value: There are two types of BPMN error thrown when we have issue while requesting certificate from CA. In versions 3.12.5 and 20.06.0 this task was named Cert: Execute Plain Request with delegate expression ${executePlainRequestTask} . Processes referencing the old expression have to be adjusted when updating to a newer version like 3.12.8 / 20.06.1 / 3.13.0. Note This task works with Smart ID Certificate Manager (CM) only. Other certificate authorities are not compatible. Use this task to send a certificate request based on extracted PKCS#10 data (via Cert: Extract PKCS#10 Attributes From Request) combined with certificate template data. Mapped Certificate data-pool field values in the certificate template can be populated with extracted PKCS#10 data or set to custom values. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: Example value: Example value: Example value: There are three types of BPMN error thrown when we have issue while requesting certificate from CA. Use this task to extract attributes from a certificate. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: If non-datapool target fields are used for extracted attributes, then you will run into problems when extracting multiple instances of the same attribute (e.g. multiple OUs). Example: Your DN is as follows: DN=hello, OU=firstOrg, OU=secondOrg Your target variable for the OU parameter is: DnOrgUnit This results in two variable assignments: The issue here is that DnOrgUnit_1 contains an underscore despite not being a Datapool-field. To avoid this, either make sure all your target fields are datapool fields, or use additional service tasks that copy the values into proper named fields before further processing. You can, for example, use the Process: Set Value of Variable in Process Map task and set the following parameters: The following parameters are set in case of error: - Valid values: The value is default set to "success". If one of the following errors occurs, the value is set to "error": Valid values: * - These parameters require PRIME 3.12.4 or later. Use this task to extract all subject DN attributes, as well as the SAN attributes from a PKCS#10 request. The parameter value of To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin Example value: Process variable containing the content of a CSR file as an array of bytes. The CSR file might be either PEM encoded or binary. PKCS10RequestFormEntry SAN attributes *Extracting the curve name currently does not work if Identity Manager and Identity Manager Admin run on the same Tomcat instance due to a classloader issue with JCE providers. In that case only the algorithm name is shown ("ECDSA") without the curve appended. Use this task to fetch the IDs of the latest certificates to be recovered and put them in the process map in a format suitable for key recovery. The user whose certificates will be fetched, is the user found in the process map. The certificates that will be fetched are the <count> latest certificates of type <certTemplate> related via ObjectRelations directly to the user or related over a Card to the user. SKI (Secure Key Injection): It will look for associated cards of the person and retrieve thumbprint information if the card ICCSN is provided in the process map. This thumbprint will be saved into the process map if it is available in the database. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: processVariable The process variable name where to put the IDs. The default value is "Certificate_CoreObjects". This default is taken from the action-beans.xml, bean id="keyArchivalRequestPreProcessor" and bean id="certificateKeyRecovery", bean/[@id="keyArchivalRequestPreProcessor"]/property/[@name="coreObjectIDKey"}/@value. You should use this default, unless there is an urgent requirement for changing it. A comma separated list of related object types between Persons, Cards and Certificates (e.g. Default, Deputy). When this value is provided then the task will load only a person's certificates with matching relations into the process variable, otherwise it will load certificates with all available relation types. This is a general white-list, which does not distinguish between the objects involved in a relation, like Person<>Card, Person<>Certificate, Card<>Certificate, etc. Therefore you have to be very careful in constructing the relations to avoid accidental recovery of unwanted certificates. Example Let's assume that no direct Person<>Certificate relations exist (because no soft tokens and only cards were produced) and all Person<>Card relations use the type "Default". Then "Default" has to be part of the list. Otherwise no card could be found, and thus also no certificates of the card. Let's also assume that some Card<>Certificate relations also use the type "Default", but you only want to recover those with type "User". Then you will have a problem, because ObjectRelationType=Default, User will recover both types, and ObjectRelationType=User will recover nothing, as the parent relation between Person<>Card does not match. To avoid this, make sure that all Card<>Certificate relations use a dedicated type. Soft token certificates related directly to a person will always use the default type, so they should not use the same certificate template as the ones on a card, if you do not want to include them. To use this task, select it in Identity Manager Admin and configure the above parameters. No bean configuration is required. In a later action you must perform the Key Recovery. Use this task to archive and/or recover PGP certificates from Smart ID Certificate Manager (CM). When new certificates are requested, the values will be taken from the certificate template configured under "archivalTemplate". The following attributes can be set: Common Name (CN) Email (SAN_EMAIL) Surname (SURNAME) Givenname (GIVENNAME) To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Valid values: Name of the PGP archival certificate template configured in Identity Manager, must match the config of Valid values: Process var containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. Use this task to query a certificate from a certificate authority, put it into a PKCS#12 Container and either save it to secret field store or send it via email. There are two ways to query the data base: Both methods can be combined or used independently. If no certificate is queried the task will fail. Due to [https://bugs.openjdk.java.net/browse/JDK-8214513] the generated PKCS#12 keystores can not be opened with java < 11.0.3 unless BouncyCastle (BC) is used as a KeyStore provider. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Valid values: Example value: Example value: Valid values: Example value: Valid values: Valid values: Example value: Example value: Example value: Example value: Example value: Valid values: Default value: Default value: Valid values: Default value: Valid values: Default value: Default value: Use this task to revoke an existing certificate. This task needs to be executed on a Certificate object or with Certificate data available in the process map. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value (fixed): Example value (resolved from variable): Example value (fixed): Example value (resolved from variable): Target state of certificate Use this task to trigger a republishing or unpublishing action for a specific PGP certificate on Smart ID Certificate Manager (CM), based on the configured publication procedure. PGP publication requires either CM 7.18.0 with hotfix 7.18.0.2 applied, CM 7.18.1 with hotfix 7.18.1.1 applied or any later version. Officially supported in PRIME 3.10. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Name of the field containing the serial number in the datamap. This is the subject serial number which Identity Manager assigns when requesting a PGP certificate. It is stored in place of an X509 certificate serial number in the Identity Manager certificate object.Description
Configuration
${certificatesPublicationTask}
Parameter Mandatory Value Description publicationProcedure 
Publication procedure defined on Smart ID Certificate Manager (CM). serialnumberField Certificate_CertSerial Name of the field containing the serial number in the datamap. DataPoolName_Certificate Certificate Datapool name of certificate. serialNumberIsDecimal - Description
Configuration
${acmePreRegistrationTask}
Parameter Mandatory Value Description hmackey The shared secret to secure the further communication keyid Identifies the account alloweddomains A comma-separated list of domains, that the account is allowed to order certificates for. Defines the CA connection and the certificate procedure for pre-registration. For details concerning the procedure, see Example: ACME configuration in Protocol Gateway. Description
Configuration
${cmpOrderRequestTask}
Parameter Mandatory Value Description certTemplate Example value: Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information. commonName password state validity - Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set. Description
Configuration
${estOrderRequestTask}
Parameter Mandatory Value Description certTemplate Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information. commonName userName User name which is allowed to make EST request. password state validity - Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set. realm - realm details Description
Configuration
${scepOrderRequestTask}
Parameter Mandatory Value Description certTemplate Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information. commonName enrollReg Registration enrollment flag (true/false). password cpmState validity Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set. emailAddress Email address of the responsible person. ipAddress IP address of the server of machine. serialNumber Serial number of the device if available. It is not mandatory so it can be blank. Description
Configuration
${executePKCS10RequestTask}
Parameter Mandatory Value Description P10RequestFormEntry Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file. P10RequestFormResult Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.P7ResponseField - Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container. certTemplate Certificate template name. booleanResultWithPEMHeaders - Configures whether the resulting certificate should be the utf-8 bytes of a PEM encoded certificate like
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.
- This BPMN Error code appears when we have any connection issue with CA.
- This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.
- This BPMN Error code appears when there is a problem with crafting the p10 request.Update Note
Description
Configuration
${executeModifiedPKCS10RequestTask}
Parameter Mandatory Value Description P10RequestFormEntry Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file. P10RequestFormResult Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.certTemplate Certificate template name. booleanResultWithPEMHeaders - Configures whether the resulting certificate should be the utf-8 bytes of a PEM encoded certificate like
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.P7ResponseField - Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container.
- This BPMN Error code appears when we have any connection issue with CA.
- This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.
- This BPMN Error code appears when there is a problem with crafting the p10 request.Description
Configuration
${extractCertAttributesTask}
Parameter Mandatory Example Value Description X509Field 
Certificate_Data The name of the field containing the certificate as binary data. It must be contained in the process map. RSAPublicExponent - CERTpublicExponent Field to store the public exponent of RSA certificates as BigInteger. Null for ECC certificates. keySize - CERTkeySize Field to store the key size of the certificate's public key as Integer. keyType* - CERTkeyType Field to store the keyType description. For EC keys this also includes the curve name. Note: the format is subject to change! keyUsage* - CERTkeyUsage Field to store the key usages. extKeyUsage* - CERTextKeyUsage Field to store the extended key usages. hashAlgorithm* - CERThashAlgorithm Field to store the hash algorithm name. validFrom - CERTvalidFrom Field to store the start date of the validity period as Date. validTo - CERTvalidTo Field to store the end date of the validity period as Date. subjectDN - CERTsubjectDN Field to store the subject distinguished name. issuerDN - CERTissuerDN Field to store the issuer distinguished name. certSerialNumber - CERTserialNumber Field to store the serial number. cdpUrls* - CERTcdpUrls Field to store a concatenated string of all CRL distribution point URLs in. They are comma-space-separated. ocspUrls* - CERTocspUrls Field to store a concatenated string of all OCSP responder URLs in. They are comma-space-separated. SAN_EMAIL - CERTsanEmail Field to store the SANs email addresses. SAN_UPN - CERTsanUpn Field to store the SANs user principal names. SAN_DNS - CERTsanDns Field to store the SANs dns names. SAN_IP - CERTsanIp Field to store the SANs ip addresses. SAN_URI - CERTsanUri Field to store the SANs uniform resource identifiers. SAN_GUID - CERTsanGuid Field to store the SANs globally unique identifiers. SAN_RID - CERTsanRid Field to store the SANs registered IDs. GIVENNAME - CertDnGIVENNAME Field to store the given name. SURNAME - CertDnSURNAME Field to store the surname. NAME - CertDnNAME Field to store the name. GENERATION - CertDnGENERATION Field to store the generation. C - CertDnC Field to store the country. CN - CertDnCN Field to store the common name. L - CertDnL Field to store the locality. O - CertDnO Field to store the organization. OU - CertDnOU Field to store the organizational unit. ST - CertDnST Field to store the state. INITIALS - CertDnINITIALS Field to store the initials. TITLE - CertDnTITLE Field to store the title. E - CertDnEMAIL Field to store the email adress (from DN). PSEUDONYM - CertDnPSEUDONYM Field to store the pseudonym. DNQ - CertDnDNQ Field to store the DN qualifier. USER_ID - CertDnUSERID Field to store the user ID. TELEPHONE_NUMBER - CertDnTEL Field to store the telephone number. POSTAL_CODE - CertDnPOSTALCODE Field to store the postal code. POSTAL_ADDRESS - CertDnPOSTALADDR Field to store the postal address. STREET - CertDnSTREET Field to store the street. NAME - CertDnNAME Field to st UNIQUE_IDENTIFIER - CertDnUNIQUEID Field to store the unique identifier. SN - CertDnSERIAL Field to store the DN serial number. ORGANIZATION_IDENTIFIER - CertDnORGID Field to store the organisation identifier. DC - CertDnDC Field to store the domain component.
This will cause it being misinterpreted as being field 1 of the datapool DnOrgUnit instead of a a standard process variable named DnOrgUnit_1.In case of error
Parameter Mandatory Value Description ExtractionResult* ExtractionResultErrorMsg* - If one of the errors in "ExtractionResult" occurs, this variable is set to "Certificate data is empty" or to "The attribute 'xy' exceeded 2000 characters." Description
P10RequestFormEntry has to match the symbolic name of the field in the PKCS10RequestEntryForm where the CSR file is uploaded. The extracted attributes will be put into the process data map under keys <valueOfP10RequestFormEntry><attributeName>, for example, PKCS10RequestFormEntryCn for the default value of P10RequestFormEntry and CN attribute or PKCS10RequestFormEntrySANEMAIL for San Email.Configuration
${extractPKCS10AttributesFromRequestTask}
Parameter Mandatory Value Description P10RequestFormEntry Extracted attributes
Subject DN attributes Prefix Result Prefix Result PKCS10RequestFormEntry Other attributes Prefix Result PKCS10RequestFormEntry Description
Configuration
${prepareDataForCertificateKeyRecoveryTask}
Parameter Mandatory Value Description certTemplates A comma separated list of the certificate core template names of the certificates to be recovered. count Fetch the IDs of the latest <count> certificates. DataPoolName_Certificate The datapool name of the Certificate core object. DataPoolName_Person The datapool name of the Person core object. DataPoolName_Card The datapool name of the Card core object. ObjectRelationType Example value: Description
Attribute Description Expression that defines the CN sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager. Expression that defines the SAN_EMAIL sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager. Expression that defines the SURNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager. Expression that defines the GIVENNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager. Configuration
${executePgpSoftTokenAction}
Parameter Mandatory Value Description requestAndArchive If true, then a new PGP keys will be requested and archived (you cannot request new keys that are not archived) passwordField Person_PasswordRef Name of secret field in which the password for encrypting the secret keyrings is provided archivalTemplate if requestAndArchive true PkiBoPgpCert ${prepareDataForCertificateKeyRecoveryTask}archivalSubjectSerialNumberPrefix - ${Person_UPN} Expression that defines an optional prefix for the generated subjectSerialNumber, so the final SSN may look something like this: "MyResolvedPrefixc97cb0de-
4774-454c-8568-82fbcd6ee710"recover If true, then existing PGP keys for the user will be recovered recoveryTemplate if recover true PkiBoPgpRecovery Name of the PGP recovery certificate template configured in Identity Manager certificatesForRecovery if recover true Certificate_CoreObjects mailDefinitionName if publicKeyringsField and secretKeyringsField missing PGP Softtoken Mail Name of the mail definition for the PGP softtoken mail (no mail will be sent if this is missing) mailEncryptionCertificates - Certificate_Enc Process var containing the core object descriptor list of the certificates, which will be used to encrypt the softoken mail. publicKeyringsField if mailDefinitionName missing PublicPgpKeyRefForDownload Name of the process var into which to save the secret field reference of the ASCII-armored public keyring data (a new secret field entry is created and its ref saved to the processmap) secretKeyringsField if mailDefinitionName missing SecretPgpKeyRefForDownload Name of the process var into which to save the secret field reference of the ASCII-armored secret keyring data (a new secret field entry is created and its ref saved to the processmap) errorMessageField ErrorMessage (default value) Name of the process var into which the BpmnError message is saved if one is thrownerrorTypeField ErrorType (default value) Name of the process var into which the BpmnError type is saved if one is thrownssnsIssuedNotPropagatedField SubjectSerialNumbersIssuedNotPropagated (default value) Name of the process var into which a list of issued but not propagated subjectSerialNumbers is saved if a BpmnError is thrown (you could use this information to unpublish, this might require additional lookups in Smart ID Certificate Manager (CM), though)Description
Configuration
${executeSoftTokenRequestAndRecovery2}
Parameter Mandatory Value Description p12PasswordField Password variable field for the generated PKCS#12 container. There are actions to create one. recoverCerts Whether recovery should be executed. processVariable If recoverCerts = true Process variable containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. recoveryTemplate - Certificate template used for recovery. Not necessary for some CAs. requestCert Whether a new certificate should be requested (Plain request). certTemplate If requestCert = true Certificate template used for requesting the new certificate. includeChain - If present and set to false, the certificate chain is skipped and only end-entity certificates will be included. keyArchival Whether the created key are archived in the CA. mailDefinitionName - If empty, no mail is sent. encryptionCertificates - The core object descriptor list of the certificates used for email encryption. p12RefField - Field to store PKCS#12 container in Base64 encoding. errorMessageField Field to store the human readable message in case of error. errorTypeField Field to store error type (ERROR, CA_ERROR or MAIL_ERROR). certsToRevokeField In case of error, the newly created certificates are stored as list of core object ids. These certificates can in turn be revoked by the process if desired. p12EncryptionAlgo - The encryption algorithm to use for the PKCS#12 keystore. p12EncryptionIterations - The encryption iterations p12PseudoRandomFunction -
HMac with SHA-256 (OID: 1.2.840.113549.2.9)The PRF to use for the PKCS#12 keystore p12HashAlgo - The hashing (MAC) algorithm to use for the PKCS#12 keystore p12HashIterations - The hashing (MAC) iterations Description
Configuration
${revokeCertificateTask}
Parameter Mandatory Value Description certificateDataPoolCertificate data pool name. Default Certificate data pool is "Certificate". targetStateDescription
Configuration
${pgpCertificatesPublicationTask}
Parameter Mandatory Value Description publicationProcedure CertEP CA Certificate to AD (Enrollment Services) Publication- or unpublication procedure defined on Smart ID Certificate Manager (CM). serialnumberField Certificate_CertSerial DataPoolName_Certificate Certificate Datapool name of certificate.
Cert QuoVadis PKI
Use this task to create a new domain request in the QuoVadis Certificate Authority. It is saved as a request core-object in a dedicated data-pool. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: Example value: Example value: Valid values: Example value: If no such error happened, then this field is not set. Use this task to query the status of a QuoVadis domain request in the Certificate Authority and update the state of the request core-object in Identity Manager accordingly. The QuoVadis API does not allow any other kind of interaction with a created domain request besides querying its status. For example, to cancel a request is not supported. The prerequisites of the Cert QuoVadis PKI: Create domain request task above also apply here. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: Example value: If no such error happened, then this field is not set. Use this task to save account domain list from QuoVadis Certificate Authority into Identity Manager lookup table. This task deletes the old domain list entry and creates a fresh entry in the configured lookup table. Create a lookup table-based datapool and core template name for storing the domain list information into Identity Manager. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: The core template name which should be used for the new core objects. This core template should consist of lookup table type DomainList Datapool.Description
Prerequisites
Data-pool
Usually the internal Requests table is used as data-source as shown below:
State-graph
Request core-template
Search-configuration (optional)
Configuration
${quoVadisRequestDomainParametrizedTask}
Parameter Mandatory Value Description quoVadisConnection 
QuoVadis connection name. organisation QuoVadis organisation name. adminEmail QuoVadis administrator e-mail address. domain Domain or IP-address for which to issue the request. isEV Whether you want to use extended validation with this domain. requestTemplate The core template name which should be used for the new QuoVadis domain request core objects. errorMsgField ErrorMsg The name of the field in which to save the error message for errors that happen during CA request or when saving of the core-object.
If no such error happened, then this field is not set.errorCodeField ErrorCode The name of the field in which to save the error code for errors that happen during CA request or when saving of the core-object.
This can be either of the following:
→ could not issue the domain request at the CA
→ domain request was successful, but creating the request core-object failedDescription
This task requires a QuoVadis domain request core-object to be loaded into the process map before execution.Prerequisites
Configuration
${quoVadisUpdateDomainRequestStatusParametrizedTask}
Parameter Mandatory Value Description quoVadisConnection QuoVadis connection name. organisation QuoVadis organisation name. requestDataPool Data-pool for QuoVadis domain requests. errorMsgField ErrorMsg The name of the field in which to save the error message for errors that happen during CA request or when saving of the core-object.
If no such error happened, then this field is not set.errorCodeField ErrorCode The name of the field in which to save the error code for errors that happen during CA request or when saving of the core-object.
This can be either of the following:
→ could not query the domain request status at the CA
→ querying the request status was successful, but could not update the state of the request core-objectDescription
Prerequisites
Datapool
Lookup table
Configuration
${quoVadisDomainListUpdateParametrizedTask}
Parameter Mandatory Value Description quoVadisConnection QuoVadis connection name. coreTemplateName
Core Objects
Use this task to check if a relation between two core objects exists. The names of both data pools have to be provided. The direction of the relation is not relevant, meaning that source and destination may be exchanged. To use this task, configure the following delegate expression in your service task: destinationDataPoolName Valid values: The name of the field indicating if a relation between the source and destination data pool exists. Contains either a "true" or "false" value. "True" means that the objects are related to each other. "False" means that there is no relation between them. Use this task to create a relation between two core objects. In this tab you manage the object relation types. A default entry is already set per tenant. Exactly one configuration must be the default configuration which is used when saving data, see Set up process in Identity Manager, the Save Data task. Include these two fields in an object relations configuration: To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: source Data pool name of the source of the relation, which has to be created. The core template name of this data pool will be saved in the database. destination Data pool name of the target of the relation, which has to be created. The core template name of this data pool will be saved in the database. includeRelationTypeToCompareOfObjects Valid values: Flag indicating if the relation type should be included when searching if the relation already exists. If you want to create multiple relations of different types between two core objects this parameter has to be set to true. Example: A relation Card → Certificate already exists in the database with the relation type "OldRelation" Use case 1 Use case 2 exceptionIsThrownIfRelationAlreadyExists Valid values: Flag indicating how the application reacts if the relation already exists. If set to "true" then throw Exception, else do nothing. Use this task to remove existing relations between objects. The removal applies for all relations between one specific object and either: Furthermore, it is independently possible to restrict the removal to relations of a specific type. Example: An employee started working with a replacement card. Later he or she receives an employee card. The connection to the reusable replacement card can then be removed. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: dataPoolName Data pool name of the object whose relation shall be removed. objectType Deprecated. This parameter has the same meaning as coreTemplateName and is only provided for downgrade compatibility. Use this task to find core objects (for example, soft tokens), that will expire within a given time range. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: coreTemplateNameList Example value: Example value: The offset in days before the related core objects expire. The base is the field specified by fieldName, for example ValidTo. If you provide a value for offsetInDays, then logically it is ValidTo - offsetInDays = dateToFindSofttoken Example: Expiry date of a soft token is 31st March 2017. If the offsetInDays is set to 30, the service task will only find the soft token with the beginning of 1st March 2017. Example value: Name of the variable containing the core objects that were found during the search. It contains only the core object ids. Example values: Name of the data pool field that indicates the state of the core object. The data pool must belong to the core template(s) mentioned above. Example values: The actual state that shall be used for filtering the search.Description
Configuration
${checkObjectRelationParametrizedTask}
The following parameters can be configured in Identity Manager Admin:Parameter Mandatory Value Description sourceDataPoolName 
The name of the source data pool that is used to check the relation with the destination data pool. The name of the destination data pool that is used to check the relation with the source data pool. resultVariable Description
Object Relations tab
Configuration
${createRelationParametrizedJavaDelegate}
Parameter Mandatory Value Description relationType Default Type of the relation. The object relation type must exist or an exception is thrown. Description
Configuration
${dropRelationsParametrizedTask}
Parameter Mandatory Value Description secondDataPoolName - 
Only one of these three parameters is allowed to be filled!Single Drop: Data pool name of the second single object. This object has to be available inside the Process Map. secondDataPoolNameDropAll - Data pool Drop: Name of a Data pool. Relations to all objects belonging to this data pool are removed. coreTemplateName - Core Template Drop: Name of a Core template. Relations to all objects belonging to this template are removed. relationType - When configured, only relations of the specified type are removed. Description
Configuration
${coreObjectExpiryCheckParameterizedTask}
Parameter Mandatory Value Description Comma separated list of core template names that shall be the base of the search. fieldName Name of the data pool field that indicates the expiration date, for example, ValidTo. The data pool must belong to the core template(s) mentioned above. offsetInDays coreObjectIdListVariableName - Meta_CoreObjectState_Field Meta_CoreObjectState_Value
Credentials
Use this task to generate a response using the card manager key and a challenge for the offline unblocking process. To use this task, configure the following delegate expression in your service task: The following parameter can be configured in Identity Manager Admin: Example value: Valid values: Set to "true" if you want to use the CardManagerKey directly as challenge/response key instead of deriving one. This is relevant for non-Cryptovision middlewares (for example, CardOS or Gemalto), where we directly use a 3DES CardManagerKey instead of a 2DES key from which the actual challenge/response key is derived. If the field is absent, derivation is enabled and a 2DES CardManagerKey is expected. If present, points to a field containing the (override) value of DisableDerivation. If both DisableDerivation and DisableDerivationField are present and the referenced field contains a value, the latter takes precedence. This is mainly intended for deployments that deal with multiple middlewares, which require different DisableDerivation values (for example CV + CardOS). The following dependencies must be configured in the Spring configuration: secretFieldsArchiver Responsible for archiving the secrets into the secret field store. Use this task to generate a 2DES / 3DES key as card manager key for minidriver compatible cards. The value generated is saved in an encrypted field. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Valid values: The following dependencies must be configured in the Spring configuration: secretFieldsArchiver Responsible for archiving the secrets into the secret field store. Use this task to generate a value for PIN and PUK according to certain rules (length, allowed characters) and to archive those values for later retrieval during card production or for PIN letter printing. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: Valid values: Valid values: Use this task to generate a password or another secret and to archive the value for later retrieval during card production or for PIN letter printing. The secret value is also hashed and stored in a separate field for easier comparison. The hash algorithm is defined in Spring since it must be the same as the one that is used for checking the passwords during login. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: passwordHashFieldName Example value: Valid values: The following dependencies must be configured in Spring: secretRefValueGenerator secretFieldsArchiverDescription
Configuration
${challengeResponseGeneratorTask}
Parameter Mandatory Value Description CardManagerKeyField 
The name of the field that needs to hold the reference value to the card manager key (for example, Card_CardManagerKey). Must be a reference field. ChallengeField The challenge provided by Windows or a 3rd party tool. ResponseField The response is generated by this task to support unblocking. DisableDerivation - DisableDerivationField - Dependency Description Description
Configuration
${cardManagerKeyProviderTask}
Parameter Mandatory Value Description passwordFieldName The name of the field that should hold the reference value to the card manager key. Must be a reference field. blockCount - Desired key length in blocks of 8 bytes. By default 2DES keys (2 blocks, 16 bytes) are generated.
If you generate keys for CardOS or Gemalto, set the parameter to 3 so 3DES keys (3 blocks, 24 bytes) are generated instead.
This distinction is needed since for Cryptovision, multiple keys are derived, including the challenge/response key from a 2DES key.
For CardOS and Gemalto the challenge/response key is generated directly, and the key needs to be 3DES.blockCountFieldName - If given, it points to a field containing the (override) value of blockCount.
If both blockCount and blockCountFieldName are present and the referenced field contains a value, the latter takes precedence.
This is mainly intended for deployments that deal with multiple middlewares which require different blockCount values (for example, CV + CardOS).Dependency Description secretRefValueGenerator Responsible for generating the reference value that is used to keep the reference to the secret value in the secret field store. Description
Configuration
${generateAndArchivePinAndPukParameterizedTask}
Parameter Mandatory Value Description pinFieldName The name of the field that shall hold the reference value to the archived PIN. pukFieldName The name of the field that shall hold the reference value to the archived PUK. pinLength - The desired length of the PIN. pukLength - The desired length of the PUK. pinAllowedCharacters - Describes the characters to be used for generating the PIN value. pukAllowedCharacters - Describes the characters to be used for generating the PUK value. Description
Configuration
${generateAndArchivePasswordWithMaxLengthAndAllowedCharactersTask}
Parameter Mandatory Value Description passwordFieldName - The name of the field that should hold the reference value to the archived password. Must be a reference field. - The name of the field that should hold the hashed value of the password. The hash algorithm is defined in Spring. The data pool field must be of type password passwordLength The desired length of the generated password. passwordAllowedCharacters Describes the characters to be used for generating the password value. Dependency Description passwordHashGenerator The generator that is responsible for generating the hash value of the secret value. This is the place to define the hash algorithm. Responsible for generating the reference value that is used to keep the reference to the secret value in the secret field store. Responsible for archiving the secrets into the secret field store.
Digital Access (Hybrid Access Gateway)
Use this task to provision a user to Smart ID Digital Access component The task consists of two phases: In the first phase the user will be created or updated. This will always be done. If you do not set a validFrom field, the user always gets the current date as a valid from value in Digital Access. If Smart ID Mobile App (Personal Mobile)is configured, all Smart ID Mobile App profiles that the user has will be deleted. Deletion of authentication methods SYNC and OATH are not implemented yet. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in PRIME Designer: coreTemplateName Example value: Example value: Example value: Example value: Example value: Example value: Valid values: Example value: Example value: Example value: Example value: authenticationMethods Valid values: The authentication methods which will be provided to Digital Access. Allowed are empty string (default), SYNC (= SYNChronized Authentication), PM (= Personal Mobile, that is, Smart ID Mobile App) and OATH (= Open AuTHentication). Only one authentication method can be selected. - Valid values: activate deactivate What status Personal Mobile, that is, Smart ID Mobile App, should get. If an invalid status is configured, the status in PM is not changed. This parameter is only mandatory if the authentication method is configured as PM. Otherwise it can remain empty. Example values: The providers are configured in the Digital Access system. To find out which providers are configured on your Digital Access system, go to Digital Access Admin > Manage System > OATH Configuration > Manage OATH Providers. For more info, see: Set up OATH tokens in Digital Access. This parameter is only mandatory if the authentication method is configured as OATH. Otherwise it can remain empty.Description
Configuration
${provisionUserToHagParameterizedTask}
Parameter Mandatory Value Description 
The name of the coreTemplate from which the current coreObject state shall be retrieved. challengePin - The default PIN for synchronized authentication of the user in Digital Access. emailField - The name of the datamap field which contains the email of the user. hagUrl https://xpiimport.nexusgroup.com:4443/URL of Digital Access system. locationDNField - The datamap field which contains the ldap dn to the desired user. If this is set the user will be connected to LDAP in Digital Access as well. lockedStates A comma separated list of states from the stategraph of the user which mean "locked" in Digital Access. unlockedStates A comma separated list of states from the stategraph of the user which mean "unlocked" in Digital Access. userEnabledPerDefault - If set to "true" the user will automatically be enabled in Digital Access. If not set it is handled as "true". userNameField The datamap field which contains the user name that shall be provisioned to Digital Access. smsNumberField - The datamap field which contains the phone/sms number of the user. validFromField - The datamap field which contains the validFrom information. If it's not set or the value of the field is null the current Date will be used as this is a mandatory parameter in Digital Access. validToField - The datamap field which contains the validTo information. - pmStatus OATHProvider -
Login
Use this task to search for a core object and create an AuthenticatedUser which is passed to the datamap with the key "AuthenticatedUser". To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: The task can be defined as follows:Description
Configuration
${findAndAuthenticateCoreObjectParameterizedDelegate}
Parameter Mandatory Value Description principalFieldName 
The field name of the unique identifier of the CoreObject. coreTemplateNames The CoreTemplate names in which the CoreObject shall be searched for. The search starts with the first name in the list. <bean name="findAndAuthenticateCoreObjectParameterizedAction" class="de.vps.act.action.login.FindAndAuthenticateCoreObjectParameterizedAction">
<property name="coreObjectSearchManager" ref="coreObjectSearchManager"/>
<property name="authenticationProvider" ref="userPasswordCoreObjectAuthenticationProvider" />
<property name="authProfileProvider" ref="authProfileProvider" />
<property name="dataPoolProvider" ref="dataPoolProvider" />
<property name="coreTemplateProvider" ref="coreTemplateProvider" />
</bean>
<bean id="findAndAuthenticateCoreObjectParameterizedDelegate" class="de.vps.act.processexecution.delegation.TaskParametrizedActionBasedJavaDelegate">
<property name="taskParameterExtractor" ref="taskParameterExtractor" />
<property name="action" ref="findAndAuthenticateCoreObjectParameterizedAction" />
</bean>
PACS
Use this task to assign an entitlement to a person. The task works on three different core objects: To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: The field name of the above data pool, where the external id of the assignment is stored, for example, 'ExternalId'. Example values: The assignment is done on either a person or an access rule. By providing values such as 'person' or 'PERSON' (all letter are handled as lower case) the assignment is done on the person entity. By providing any other values, the assignment is done on the access rule. Contains a list of entitlements related to the entitlement to be assigned. Mostly used to associate a room with a time zone. Use this task to create a group membership in Smart ID Physical Access component. Group membership means, assigning an existing person to an existing group. The task works on three different core objects: To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: groupMembershipDataPoolName Example value: Example value: The field name of the above data pool, where the external id of the membership is stored. Use this task to send a request to PACS to create (if non existent) or to update (if exists) a card. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: pacsName cardStateFieldName Example value: cardActiveStates Example value: Valid values: Use this action to send a request to PACS to create (if non existent) or to update (if exists) a person. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: pacsName personStateFieldName Example value: personStates Example value: Use this action to fetch entitlements of a given type or several types from a PACS system. Currently supported: Physical Access component. The fetched entitlements are stored as core objects. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: The name of the data pool for core objects, that store the assignment with the external id. Valid values: Zero or more comma separated values from the list: DEFAULT, ZP, ZPC, RZ_TZ, DG_TZ, D_TZ Use this task to send a request to PACS to create (if non existent), update (if exists) and delete (if exists) a group. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Valid values: Use this task to send a request to PACS to create (if non existent), update (if exists) and delete (if exists) an access rule. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Valid values: Use this task to withdraw an entitlement from a person. The task works only on the core object 'Assignment'. This is an entity that stores the external id of the EntitlementAssignment within Physical Access component. Usually a Request is used to hold this information. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: The field name of the above data pool, where the external id of the assignment is stored. Example values: The withdrawal is done on either a person or an access rule. By providing values such as 'person' or 'PERSON' (all letter are handled as lower case) the withdrawal is done on the person entity. By providing any other values, the withdrawal is done on the access rule. Use this task to withdraw a group membership in Physical Access component. To use this task, configure the following delegate expression in your service task. There has to be a Request with the group membership id in the process map. The following parameters can be configured in Identity Manager Admin: groupMembershipDataPoolName Example value: Example value: The field name of the above data pool, where the external id of the membership is stored.Description
Configuration
${pacsAssignEntitlementParametrizedTask}
Parameter Mandatory Value Description pacsName 
The name of the PACS system to communicate with. entitlementAssignmentDataPoolName The name of the data pool for core objects, that stores the assignment, for example, 'Request'. entitlementAssignmentExternalIdFieldName targetEntity relatedEntitlementsCoreObjectDescriptorList Description
Configuration
${pacsCreateGroupMembershipParametrizedTask}
Parameter Mandatory Value Description pacsName The name of the PACS system to communicate with. The name of the data pool for core objects, that stores the group membership. groupMembershipExternalIdFieldName Description
Configuration
${pacsCreateOrUpdateCardParametrizedTask}
Parameter Mandatory Value Description The name of the PACS system to communicate with. The card data pool field name where Identity Manager stores the state of the person. A comma separated list of supported active card states in Identity Manager. cardType - Optional. The type of a card. Physical Access component accepts two types: 'mifare' and 'em'. Description
Configuration
${pacsCreateOrUpdatePersonParametrizedTask}
Parameter Mandatory Value Description The name of the PACS system to communicate with. The person data pool field name where Identity Manager stores the state of the person. A comma separated list of supported active person states in Identity Manager. Description
Configuration
${pacsFetchEntitlementsParametrizedTask}
Parameter Mandatory Value Description coreTemplateName The name of the core template in which the entitlements shall be stored. entitlementTypesField - listOfEntitlementTypes - coreObjectDescriptorOutputField - List of the core objects that were saved into the database. In this service task, the list contains entitlement objects, since the task saves entitlements into the database. Description
Configuration
${pacsDealWithGroupParametrizedTask}
Parameter Mandatory Value Description pacsName The name of the core template in which the entitlements shall be stored. deleteFlag Flag for indicating whether the group should be created/updated (false) or if the group should be deleted (true). Description
Configuration
${pacsDealWithAccessRuleParametrizedTask}
Parameter Mandatory Value Description pacsName The name of the PACS system to communicate with. deleteFlag Flag for indicating whether the access rule should be created/updated (false) or if the access rule should be deleted (true). Description
Configuration
${pacsWithdrawEntitlementParametrizedTask}
Parameter Mandatory Value Description pacsName The name of the PACS system to communicate with. entitlementAssignmentDataPoolName The name of the data pool for core objects, that store the assignment with the external id. entitlementAssignmentExternalIdFieldName targetEntity Description
Configuration
${pacsWithdrawGroupMembershipParametrizedTask}
Parameter Mandatory Value Description pacsName The name of the PACS system to communicate with. The name of the data pool for core objects, that stores the group membership. groupMembershipExternalIdFieldName
Process
Use this task to run a search configuration and trigger an ErrorBoundaryEvent with error code "uniquenessTestFailed" if a uniqueness criteria is not met. The event might cause a different process flow. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Defines the search configuration that should be used to count objects. During process execution the user must have the permission to execute the search configuration. It is possible to use a search configuration that searches over multiple levels. The minimum number of objects that should be found. If the search finds less than minCount objects, the action will trigger an ErrorBoundaryEvent with error code "uniquenessTestFailed". Although neither minCount nor maxCount are mandatory, at least one of them must be specified. The maximum number of objects that should be found. If the search finds more than maxCount objects, the action will trigger an ErrorBoundaryEvent with error code "uniquenessTestFailed". Although neither minCount nor maxCount are mandatory, at least one of them must be specified. resultCount (used if nothing is specified) Specifies where the number of found objects will be stored in the data map. The value is stored whether the condition is met or not. If no resultVariableName is specified, 'resultCount' is used as a default name. For configuring search fields, add a parameter for each search field. The name of the parameter should be the full name of the datapool field. The value has to contain the filter condition and value, separated by a colon symbol. For example: If the underlying data source of the search configuration does not allow to query just the number of result objects, only as less objects as possible are fetched, but enough to find violations of minCount or maxCount. If the number of found objects equals to the upper limit, that was searched for, it is not possible to decide whether there are more objects. In such cases a hint is logged in debug mode: "The search has been restricted to 2 object(s) for performance reasons, but there might exist more objects". Use this task to load pack binary data objects into a ZIP file. A CoreObjectDescriptor is needed (loaded in a service task before) to have a list with core objects which contain the binary data fields. Different binaries belonging to one core object can be packed together into one ZIP file (for example photo and signature). Reference-fields can also be added into zip, if they represent a binaryData (like softtoken). To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: <name of binaryField to save into zipFIle> Example value: Use this task to delete a secret field from secret field store and clear the reference to it. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Use this task to execute a script and put the result variables to the process map. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: scriptName Use this task to run a search configuration and put the result to the map as core object descriptor list or as the complete object. Searches in external datapools, such as LDAP, SCIM or JDBC, need to be based on a CoreTemplate. If the number of search results is equal to or more than maxCount this is logged in the Tomcat log file. A process variable To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: - Defines the search configuration that should be used to count objects. During process execution the user must have the permission to execute the search configuration. It is possible to use a search configuration that searches over multiple levels. The binary data fields will not be loaded into the process map unless the search configuration has at least one binary data field in the result columns. Specifies the name of a variable of the data map, where the CoreObjectDescriptorList of the found objects is stored. Valid values: TargetPrefix - <Prefix> Example: Manager_ If the found objects fields should be added to the process map with a special prefix. It replaces the <Datapool_>, which is otherwise at this position. With this function, conflicting entries can be avoided. Example: Instead of "Person_Email" the data map will get an additional entry: "Manager_Email". <ColumnName> Example: FirstName Valid values: <CONDITION>:<value> Examples: Valid CONDITIONS: Allowed multiple times, for each search field of the search config. Filter condition and value shall be separated by a colon symbol, like this, <CONDITION>:<value>. To make it work, you must add the datapool field name as a prefix, for example, Every filter that is added as <Datapool_Field> MUST exist in the used SearchConfig, otherwise it will not be added when the search task is executed. Also the conjunctions AND and OR can be used. For example: - Refers to the level 0 entities from which the search starts. It is the Unique ID used to store records in the underlying database. The value can be a literal or a JUEL expression. Unlike Datapool fields, this value always uses equals to identify the record. The searchUniqueID can also be used with just Person_Id or Datapool_Id and EQUALS:<variable_for_entity_reference_id>. - Refers to the level 1 and above entities in case of multi-level searches. It is the Unique ID used to store records in the underlying database. The value can be a literal or a JUEL expression. Unlike Datapool fields, this value always uses equals to identify the record. This action works only in context with batch orders. Use this task to find the next possible/valid states to a given core object state. If the multiple selected core objects (in a batch order) do have different states (for example active, inactive), an ErrorBoundaryEvent will be triggered. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: dataPoolName The task can be defined as follows: Use this task to load an entity into the process map. Given a datapool, a field, the field's value and optionally a core template, the matching entity will be loaded. If more than one entity matches, no entities will be added to the process map. A process variable To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: EntityCoreObjectIdField EntityCoreObjectDescField EntityRolesField ExclusiveLoadFields TargetPrefix If the found objects fields should be added to the process map with a special prefix. It replaces the <Datapool_>, which is otherwise at this position. With this function, conflicting entries can be avoided. Example: Instead of "Person_Email" the data map will get an additional entry: "Manager_Email". This task expects a certificate in the process map and loads an entity from the DB, based on a value of the certificate. You configure what kind of entity (Person, Server etc) and which certificate field should match which field of the entity. A case insensitive search is performed. If exactly one entity is found, it will be added to the process map. If more that one entity is found, no entities will be added to the process map. A process variable loadCertificateMatchingEntityResultCount will hold the number of the found entities. Any value other than 1 can be considered an error. This task can be used to establish an objectRelation between the certificate and an entity. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Values are case sensitive. certificateDataPoolName certificateDataFieldName Example value: Use this task to load one or more values of SystemProperties, which are configured in the Admin tab in Identity Manager, into fields of the process map. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin, they can be added with the '+'-button, each row sets one system property into the target field: targetFieldName Name of systemProperty to load Combination of target field and system property. A system property is defined of <contextid>.<propertyName>. Use this task to log something in the logfile. The results will not be visible to an end user. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: loggerName Any String, but typically a java package optionally followed by a class name. Example values: loglevel Valid values: message Any String or JUEL expression. Example values: ignoreKeyNotFound Valid values: If this is set to true, expressions from the message that can't be resolved to a key in the process map will be ignored. If it is set to false, an exception will be thrown. Use this task to remove an entity from the process map. Given a name of a datapool, all fields from the datamap will be removed. If the given name does not match a datapool, no fields will be removed. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Use this task to remove a variable from the data map of the process. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Use this task to compare two secret fields. If they are equal, the service task will return true, otherwise, false. The comparator is case sensitive, so only exact matches will return true. Note that blank values are not considered valid. Passing secret fields directly into the data map is a security issue, so the service task will only expect UIDs of valid, already stored, secret fields. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Parameter Mandatory Value Description firstSecretFieldName String value UID of the first secret field secondSecretFieldName String value UID of the second secret field resultFieldName String value Default value: secretsAreEqual The name of the variable in the processMap that will contain the result of the comparison. Use this task to set a variable to a desired value, including an empty string or null. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in PRIME Designer: Valid values: Valid values: Be sure to configure exactly only one of variableValue, setToNull and setToEmptyString. Otherwise an Exception is thrown. Unresolvable JUEL expressions in variableValue are ignored by default. If you want an exception to be thrown instead, add the following bean definitions to your custom-beans.xml: Use this task to execute a searchConfig and search in a list of X509-certificates for the newest Encryption Certificate. If one is found it is saved in the database (if it`s not existing already under the configured core template name) and loaded into the processMap as CoreObjectDescriptor. This task is useful, for example, when a field of a LDAP-datapool contains a (multi-value binary) list of certificates. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: searchConfigName encCertResultCoreTemplate The name of a CoreTemplate to store the found encryptionCertificate in the Database, if it does not already exist with this CoreTemplate name. Note: The name must be based on CertificateDAO-dataPool Note: If the certificate already exists with a different CoreTemplate name, a second entry will be saved with the encCertResultCoreTemplate. It is recommended to use these additional entries only temporarily and remove them after use. encCertResultDescriptorName X509ListFieldInSearchResult The field in the result of the searchConfig with the list of certificates. Note: This field should be a multi-value binary field in the datapool (LDAP-datapool) Additional Filter-Field for the searchConfig, added with '+'-Button See description in Process: Execute Search Task. Use this task to validate a value in the process data map against a regular expression. The result is saved as true/false in the process data map. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Field in the process data map whose value (or list of values) is checked with the regular expression. Example value: Field in the process data map where the result of the validation is saved as Boolean ("true" when regex matches, "false" if not). Example value: Valid values (Boolean): Example values: Can be defined if the value in variableName contains a list which is separated with a delimiter. For example: "value1; value2; value3" If delimiter is defined, the value is treated as a list of multiple values, and every value is validated. Valid values (Boolean): If true, any whitespace before and after the value in variableName is removed before validation. Example: Valid values (Boolean): If true, the validation does differentiate between lowercase and uppercase characters.Description
Configuration
${assertUniquenessParameterizedTask}
Parameter Mandatory Value Description searchConfigName 
minCount - maxCount - resultVariableName - <Datapool_Field> - EQUALS:${Person_PersonnelNumber}
GREATER_THAN:${now}
CONTAINS:st
Description
Configuration
${buildZipFileFromBinariesParameterizedTask}
Parameter Mandatory Value Description resultVariableNameZipFile 
Fieldname in the datamap where the builded zipFile is written to. resultVariableNameZipName - Fieldname in the datamap where the name of the zipFile is written to. zipfileName Example value: How the zipFile shall be named. fileExtension like '.zip' is needed. coreObjectDescriptorList coreObjectDescriptor which contains a list of CoreObjects with binaryData <name of the zipFile-Entry> (minimum 1)
← Person_Photo
← Person_Softtoken
Description
Configuration
${deleteSecretField}
Parameter Mandatory Value Description referenceField The field to be deleted in secret field store. Description
Configuration
${executeScriptTask}
Parameter Mandatory Value Description The name of the script. Description
executeSearchResultCount will hold the number of the found entities.Configuration
${executeSearchParameterizedTask}
Parameter Mandatory Value Description searchConfigName maxCount The maximum number of objects that should be found. resultVariableName - copyValuesOfFirstResult - This parameter decides whether the first found object is put completely to the map (true) or if the CoreObjectDescriptorList is put to the map (false). If set to true, resultVariableName will be ignored. maxCount will be ignored too and set to 1. sortColumn - This parameter is the column name of the dataset, which is taken to order the search result. sortOrder - Combo box to select if the search result is ordered ascending or descending. Default is ascending. <Datapool_Field> - OrderNumber, see (1) in the screenshot.SclmDpOrder_OrderNumber, see (2) in the screenshot.
EQUALS:Active _OR_ temporary.inactivesearchUniqueId <value> resultUniqueId <value> Description
Configuration
${findNextPossibleStates}
Parameter Mandatory Value Description The datapool name of the underlying batch order. resturnField The name of the variable containing all the possible states (which were found). <bean id="findNextPossibleStatesAction" class="de.vps.act.processexecution.state.FindNextPossibleStatesAction">
<property name="coreTemplateProvider" ref="coreTemplateProvider"/>
<property name="stateGraphDefinitionManager" ref="stateGraphDefinitionManager"/>
<property name="coreObjectDAO" ref="coreObjectDAO"/>
</bean>
<bean id="findNextPossibleStates" parent="parameterizedTask">
<property name="action" ref="findNextPossibleStatesAction" />
</bean>
Description
loadEntityResultCount will hold the number of the found entities. Any value other than 1 can be considered an error.Configuration
${loadEntityParameterizedTask}
Parameter Mandatory Value Description EntityDataPool Person The name of the entity's datapool. EntityAttribute Email The attribute of the entity that must match a certain value. EntityAttributeValue ${Person_Email} or ${user.Person_Email} The value that EntityAttribute must match. Most of the time, an expression will be used here. Also special expressions like ${user.*} are possible, to use values from the authenticated User or from system.properties (${sysprop.*} EntityCoreObject The core template of the entity. This limits the search to objects of this core template. coreObjectId The field in which the CoreObjectId is added in the process map. coreObjectDescriptor The field in which the CoreObjectDescriptor is added in the process map. roles The field in which the roles of the object is added in the process map. FirstName,LastName,Email If not the complete dataset should be loaded, only the ones defined here are loaded/added in the process map. Manager_ Description
Configuration
${loadCertificateMatchingEntityParameterizedTask}
Parameter Mandatory Value Description Certificate The name of the certificate's datapool. Data The name of the field of the certificate's datapool that holds the binary certificate. certificateAttribute The field of the certificate whose value must match the entity. SAN values are prefixed with "SAN_". Possible values: any one of de.nexus.pkiutils.certificate.DNs or any one of de.nexus.pkiutils.certificate.SANs. Currently that allows the following possibilities: DN_C, DN_CN, DN_DNQ, DN_E, DN_L, DN_O, DN_OU, DN_SN, DN_ST, DN_UID, DN_STREET, DN_INITIALS, DN_POSTAL_ADDRESS, DN_POSTAL_CODE, DN_TELEPHONE_NUMBER, DN_TITLE, DN_SURNAME, DN_GIVENNAME, SAN_EMAIL, SAN_UPN, SAN_DNS, SAN_IP, SAN_URI, SAN_GUID, SAN_RID. entityDataPoolName Person The datapool of the entity to loadCertificateMatchingEntityParameterizedTask entityDataPoolFieldName Email The name of the field of the entity's datapool that must match the certificate's field value. entityCoreTemplateName - Person The core template of the entity. This limits the search to objects of this core template. Description
Configuration
${loadSystemPropertyIntoProcessmapParametrizedTask}
Parameter Mandatory Value Description 
Description
Configuration
${loggingParameterizedTask}
Parameter Mandatory Value Description 
In the log4j configuration, defined loggers have a name, typically a package name or a class, however any String is valid. This attribute specifies to which logger this task will write. You can use this to route the log message to a file, the console or any other appender. Use this to describe the severity of the log entry. It will appear in the logfile. Loggers and/or appenders typically ignore entries under a configurable threshold. The message that will be logged. You can use Expression Language and methods from the String API. Expressions will be evaluated against the process map. Description
Configuration
${removeEntityFromDatamapParameterizedTask}
Parameter Mandatory Value Description EntityDatapoolName The name of the entity's datapool. Description
Configuration
${variableRemovingParameterizedTask}
Parameter Mandatory Value Description variableName The name of the variable, which should be removed from the process map Description
Configuration
${compareSecretsParameterizedTask}
Description
Configuration
${setValueOfVariableInProcessMapParameterizedTask}
Parameter Mandatory Value Description variableName The name of the variable whose value should change in the process map variableValue - The new value for the variable. It may contain JUEL expressions like ${Person_FirstName}. setToNull - If set to true, the variable's value will be set to null. setToEmptyString - If set to true, the variable's value will be set to an empty string. JUEL expressions
<bean id="keyNotFoundThrowingSpelResolver" class="de.vps.act.juel.SpelExpressionResolver">
<constructor-arg name="expressionPrefix" value="${" />
<constructor-arg name="expressionSuffix" value="}" />
<constructor-arg name="keyNotFoundSafe" value="false" />
</bean>
<bean id="setValueOfVariableInProcessMapParameterizedAction"
class="de.vps.act.action.datamap.modification.SetValueOfVariableInProcessMapParameterizedAction">
<property name="juelExpressionResolver" ref="keyNotFoundThrowingSpelResolver" />
</bean>
Description
If the certificate is found in the database but under a different core template name, a second entry will be saved under the configured core template name.Configuration
${searchNewestEncCertParameterizedTask}
Parameter Mandatory Value Description Select in drop-down list The searchConfig, which is executed to search the list of X509-Certificates Select in drop-down list String value The name of the variable in the processMap where the found encryptionCert is put as CoreObjectDescriptor String value <Datapool_Field> - Description
Configuration
${validateFieldWithRegexParameterizedTask}
Parameter Mandatory Value Description variableName resultVariableName regex The regular expression, which the field value must match. variableMustExist - If true, validation fails if map has no entry for the variable described in variableName. delimiter - trim - caseSensitive -
Smart ID Messaging
Use this task to provision a new profile or update an existing one, overwriting existing keys. The task will create the keys needed for the "Mobile App: Install certificates" task. The task will generate the following PKCS#10 request templates: These requests will then be sent to the mobile phone and transformed into new PKCS#10 requests (with keypairs generated on the client but keeping all subject data). The new requests userid will then be sent to the message catching intermediate event identified by the parameter 'messageName'. Identity Manager will put these PKCS#10 requests into the process map under the keys "SIG_P10_VAR", "AUTH_P10_VAR" and "DEVICE_ENC_P10_VAR". If a new profile was created, Identity Manager will also put the new profileId into the process map under the key "profileId". In order to save the profile id you will need to copy it into a data pool field. After this task is executed, you need to request certificates using the requests stored in the process variables "SIG_P10_VAR" and "AUTH_P10_VAR" before proceeding to the "Mobile App: Install certificates" task. Store the requested certificates into the process map. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: messageName Example value: Example value: ID representing the user on the messaging server. This will be displayed in the profile on the mobile app to verify the correct data is provided. A common approach is to use the user's email address. Example value: Example value: If new profile Leave empty (when updating a profile) If new profile Example value: If new profile Example value: Leave empty (for new profile) Id of the Smart ID Mobile App profile that will be updated with new keys. Leave empty if you want to provision a new profile. Valid values: If using visual ID Example value: If using visual ID Example value: If using visual ID Example value: Use this task to request and install certificates that were prepared using the "Mobile App: Create Key" task. As a prerequisite Use this task to install a number of certificates on the mobile phone: To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: messageName ErrorMessage ErrorType ${SIG_VAR} ${AUTH_VAR} ${DEVICE_ENC_P10_VAR} ${profileId} Valid values: Use this task to delete a profile managed by Smart ID Desktop App. It can also delete all Smart ID Messaging mailboxes for a specific user id. This task can be used in the following ways: Executed the task on a card profile which contains information about the profile id. Set the confirmation flag to false. Even if the confirmation flag is set to false, you need to set the 'messageName' parameter to a dummy value to be able to delete the mailbox(es). To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: when confirmation flag is true ID of the profile to be deleted, as created via 'Mobile App: Create Key'. ${Person_Email} Valid values: Messaging Server will forward the profile deletion request to Smart ID Mobile App when set to true. Use this task to create up to three template PKCS#10 requests that can be used to request certificates needed for the "Desktop App: Install Certificates on Virtual Smart Card" task. Use this task to create up to three template PKCS#10 requests: These requests will then be sent to Smart ID Desktop App and transformed into new PKCS#10 requests (with keypairs generated on the client but keeping all subject data). The new requests will then be sent to the message catching intermediate event identified by the parameter 'messageName'. Identity Manager will put these PKCS#10 requests into the process map under the keys "SIG_P10_VAR" and "AUTH_P10_VAR". Identity Manager will also put the new profile id into the process map under the key "profileId". In order to save the profile id you will need to copy it into a data pool field. This task can only provision a new profile - updating an existing profile is currently only supported in Smart ID Mobile App at this time, not in Smart ID Desktop App. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: messageName Example value: Example value: ID representing the user on the messaging server. This will be displayed in the profile(-list) on the desktop app to verify the correct data is provided. A common approach is to use the user's email address. Example value: Example value: Example value: Example value: Example value: Example value: Name of the server that issued the provisioning request. This is for the user to understand where the profile comes from. Example value: Example value: The secret field reference of 24-byte 3DES admin key in HEX format. The key can also be set directly as plain hex value for testing. Note: Smart ID Desktop App.s own default is 123456781234567812345678123456781234567812345678, but you must make sure Identity Manager always defines the value! Example Value: Valid values: The value is passed as-is to Smart ID Desktop App. Example value: Example value: Valid values: Valid values: Valid values: Valid values: Valid values: - This field only makes sense in case the "FreeTPM" provisionReader is configured. If provided, it will change the VSC's admin key. "oldAdminkey" must hold the old admin key and "adminKey" must hold the new admin key. For example, default admin key of 010203040506070801020304050607080102030405060708 when you create VSC from Tpmvscmgr tool. Valid values (version-dependent, Smart ID Desktop App or Smart ID Messaging update may be required for some): Storage priority - defines where certificates and keys are stored. Usually just a single value. Example: VSC, OS would mean: try to write to a virtual smart card first, and if that fails, use the OS certificate store instead. Valid values: Specifies the key protection level at OS key store. It is only used in case of OS storage priority. This task requests and installs certificates that were prepared using the "Desktop App: Create Virtual Smart Card Key" task. As a prerequisite Use this task to install a number of certificates on a profile maintained by the Smart ID Desktop App: To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: messageName ErrorMessage ErrorType ${SIG_VAR} ${AUTH_VAR} ${DEVICE_ENC_P10_VAR} ${profileId} ${Card_VscId} Valid values (version-dependent, Smart ID Desktop App or Smart ID Messaging update may be required for some): Storage priority - defines where certificates and keys are stored. Usually just a single value. If the profile was created with hybridProfile set to TRUE (see 'Desktop App: Create Virtual Smart Card Key'), then this may be a comma-separated list. Example: VSC, OS would mean: try to write to a virtual smart card first, and if that fails, use the OS certificate store instead. Valid values: Specifies the key protection level at OS key store. It is only used in case of OS storage priority. Use this task to delete a virtual smart card profile managed by Smart ID Desktop App on a TPM and also to delete all Smart ID Messaging mailboxes for a specific user id. This task can be used in the following ways: Execute this task on a smart card profile which contains information about smart card id, profile id and card manager key (admin key). To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: when confirmation flag is true ID of the profile to be deleted, as created via 'Desktop App: Create Virtual Smart Card Key'. when profileId provided and confirmation flag is true when profileId provided and confirmation flag is true Process variable to put the resulting Smart ID Plugout URI that will open Smart ID Desktop App on the client machine. ${Person_Email} when profileId provided and confirmation flag is true The secret field reference of the new 24-byte 3DES admin key to be set, in HEX format. The key can also be set directly as plain hex value for testing. when profileId provided and confirmation flag is true ${Card_CardManagerKey} The secret field reference of the 24-byte 3DES current admin key, in HEX format. The key can also be set directly as plain hex value for testing. Valid values: Messaging Server will forward the delete profile request to Smart ID Desktop App when this set to true. Use this task to create a template PKCS#10 request that can be used to request the certificate needed for the "Desktop App: Install Certificates On Windows Cert Store" task: Identity Manager will also put the new profileId into the process map under the key "profileId". In order to save the profile id you will need to copy it into a data pool field. This task can only provision a new profile - updating an existing profile is currently only supported in Smart ID Mobile App at this time, not in Smart ID Desktop App. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: messageName Example value: Example value: ID representing the user on the messaging server. This will be displayed in the profile(-list) on the desktop app to verify the correct data is provided. A common approach is to use the user's email address. Example value: Example value: Example value: Example value: Name of the server that issued the provisioning request. Will be displayed in Smart ID Desktop App so the user can understand where this profile comes from. Example value: Valid values: Specifies the key protection level at OS key store. It is only used in case of OS storage priority. Use this task to request and install certificates that were prepared using the "Desktop App: Create Windows Cert Store Key" task. As a prerequisite Use this task to install a number of certificates on the Windows Certificate store: To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: messageName p10FinishedCallback ${Person_Email} ErrorMessage ErrorType ${DEVICE_ENC_P10_VAR} ${profileId} Valid values: Specifies the key protection level at OS key store. It is only used in case of OS storage priority. Use this task to start a connection to Smart ID Messaging. With this connection, scripts can be executed. Finally, the connection needs to be closed. Once the connection is established you receive a boxId and a plugoutUrl which can be used to start Smart ID Desktop App and connect it to the corresponding box on Smart ID Messaging. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Use this service task to execute a script in Smart ID Desktop App. The script needs to be passed as a JSON array (for example: To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Use this service task to close a scripting connection to Smart ID Messaging. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Use this task to encrypt the pin or card manager key that is sent during a pin operation. The corresponding app while provide this one time key in the callback message when the operation is requested. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Use this task to initiate a pin reset on a virtual smart card. Once the operation is confirmed by the user through the Smart ID Desktop App, Identity Manager will receive a challenge that needs to be encrypted via the card manager key in order to authorize the pin reset. The challenge will be set in the process variable "challenge". After this task is executed, use the 'Credentials: Calculate Minidriver Offline Unblocking Response' task to encrypt the challenge stored in the process variable "challenge" and store the encrypted challenge in the process variable "encryptedChallenge". Then you can proceed to the "Desktop App: Acknowledge PIN Reset on Virtual Smart Card" task. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: messageName startPinResetCallback ${Person_Email} Process variable to put the plugout url. Use this task to initiate a pin reset on a physical smart card. The Smart ID Desktop App, will in turn provide a challenge and a transport security key, so that the actual pin operation can be executed. Supported operations are: The challenge Identity Manager will receive, needs to be encrypted via the card manager key in order to authorize the pin operation. The challenge will be set in the process variable "challenge" by a callback message. The transport security key can be used to encrypt the new card manager key, when it is changed. After this task is executed, use the 'Credentials: Calculate Minidriver Offline Unblocking Response' task to encrypt the challenge stored in the process variable "challenge" and store the encrypted challenge in the process variable "encryptedChallenge". Then you can proceed to the "Desktop App: Acknowledge PIN Reset on Virtual Smart Card" task. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: messageName startPinResetCallback resetPIN Use this task to complete a pin reset on a virtual smart card. Once the pin is reset by Smart ID Desktop App, Identity Manager will receive an event indicating success or failure of the operation. As a prerequisite you must have encrypted the challenge received in the "Desktop App: Request PIN Reset on Virtual Smart Card" task. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: messageName endPinResetCallback Use this task to complete a pin operation on a virtual smart card. Once the pin is changed by Smart ID Desktop App, Identity Manager will receive an event indicating success or failure of the operation. As a prerequisite you must have encrypted the challenge received in the "Desktop App: Request PIN Reset on Virtual Smart Card" task, and, if the pin (or card manager key) is provided by the Identity Manager is has to be encrypted for secure transport using the "Desktop/Mobile App: Encrypt Secret for Transport" task. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: messageName endPinResetCallback Use this task to retrieve profile and device information of virtual smart cards that are managed by Smart ID Desktop App. You can request information of a virtual smart card or of a single virtual smart card profile. The task will put a "commandId" value into a process variable which must be used for polling the response using "Desktop App: Poll meta data from client". To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Process variable to put the plugout url. Valid values: ID representing the user on the messaging server. If a profileId parameter is set, this must match the userid provided when the profile was requested. Otherwise any value will do. Valid values: Request device information. Valid values: Request profile information. Use this task to poll a ping response from Smart ID Messaging based upon the 'commandId' (which was created at the ping request to Smart ID Messaging). Execute this task after a ping request to Smart ID Messaging. It polls the message from Smart ID Messaging, based upon the provided command id. After receiving the response from Smart ID Messaging it stores the profile and device Information into configured service task parameters. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin:Description
Configuration
${hermodKeyCreationTask}
Parameter Mandatory Value Description messagingServer 
The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. The name of the intermediate message catching event that will be triggered by Smart ID Messaging. userid errorMessageField Process variable to put the error message in case of failure. errorTypeField Process variable to put the error type in case of failure. signCertificateTemplate - Signature certificate template. authCertificateTemplate - Authentication certificate template. profileName Profile name for Smart ID Messaging. Will be displayed in the Smart ID Mobile App. Leave empty if you want to update an existing profile. serverName Name of the server that issued the provisioning request. This is for the user to understand where the profile comes from. qrResultField Process variable to put the resulting url. This url may be converted to a QR-Code for the Smart ID Mobile App by using GenerateQRCodeParametrizedAction. profileId If update profile storagePriority Storage priority of certificates. MDM is replaced by EXT, however MDM is still supported. visualIdLayout The layout to be used for creating the visual ID. If there is a juel expression configured for the front or backside image, this will take precedence over the statically configured image. If there is no image found for the juel expression, and there is no statically configured image, the task will fail. cardDatapool The datapool used for saving the mobile ID profile. contentId A unique ID in UUID format, which will be associated with the personal mobile profile. Can be generated with the service task "MISC: Generate Random GUID into Data Map Field". Description
Configuration
${hermodInstallCertificatesTask}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. p10FinishedCallback The name of the intermediate message catching event that will be triggered by Smart ID Messaging. userid ${Person_Email} ID representing the user on the messaging server. This must match the userid provided when the profile was requested. errorMessageField Process variable to put the error message in case of failure. errorTypeField Process variable to put the error type in case of failure. signatureCertificate - The signature certificate. authenticationCertificate - The authentication certificate. deviceEncryptionP10 The PKCS#10 request for the Device Encryption Certificate, created by the "Mobile App: Create Key" task. profileId The id of the profile under which to store the certificates. This is initially provided by the "Mobile App: Create Key" task. encryptionCertificate - Encryption certificate template. recoveryCertificate - Recovery certificate template. processVariable - Certificate_CoreObjects Variable name which holds Core object ids list or Core object descriptor list of certificates to be recovered. p12PasswordField profilePassword Reference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords. storagePriority Storage priority of encryption certificates. MDM is replaced by EXT, however MDM is still supported. Description
Delete profile on Smart ID Mobile App and Smart ID Messaging
Delete mailbox on Smart ID Messaging only
The profiles themselves in their respective apps will be retained, as the deletion request will not be forwarded.Configuration
${pmHermodDeleteProfileTask}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. messageName The name of the intermediate message catching event that will be triggered by Smart ID Messaging. errorMessageField ErrorMessage Process variable to put the error message in case of failure. errorTypeField ErrorType Process variable to put the error type in case of failure. profileId ${Card_ProfileId} userid ID representing the user on the messaging server. This must match the userid provided when the profile was requested. confirmation Description
Configuration
${pxVscHermodKeyCreationTask}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. The name of the intermediate message catching event that will be triggered by Smart ID Messaging. userid errorMesageField Process variable to put the error message in case of failure. errorTypeField Process variable to put the error type in case of failure. signCertificateTemplate - Certificate template of the signature certificate. authCertificateTemplate - Certificate template of the authentication certificate. profileName Profile name for Smart ID Messaging. Will be displayed in Smart ID Desktop App as the heading of the profile. serverName plugoutResultField Process variable to put the resulting Smart ID Plugout URI that will open Smart ID Desktop App on the client machine. adminKey smartCardId Virtual smart card id. Usually it will be created via a dedicated number-range. provisionReader pinMinLength Min. length of the VSC PIN (Windows API allows 4-127 characters,
see https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardpinpolicy.minlength)pinMaxLength Max length of the VSC PIN (Windows API allows 4-127 characters,
see https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardpinpolicy.maxlength)pinUppercase Whether uppercase chars in the PIN are ALLOWED / DISALLOWED / REQUIRED pinLowercase Whether lowercase chars in the PIN are ALLOWED / DISALLOWED / REQUIRED pinDigits Whether digits in the PIN are ALLOWED / DISALLOWED / REQUIRED pinSpecialChars Whether special chars in the PIN are ALLOWED / DISALLOWED / REQUIRED hybridProfile - oldAdminKey - storagePriority
If hybridProfile is TRUE, then this may be a comma-separated list.desktopKeyProtectionLevel Description
Configuration
${pxVscHermodInstallCertificatesTask}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. p10FinishedCallback The name of the intermediate message catching event that will be triggered by Smart ID Messaging. userid ${Person_Email} ID representing the user on the messaging server. This must match the userid provided when the profile was requested. errorMessageField Process variable to put the error message in case of failure. errorTypeField Process variable to put the error type in case of failure. signatureCertificate The signature certificate. authenticationCertificate The authentication certificate. deviceEncryptionP10 The PKCS#10 request for the Device Encryption Certificate, created by the "Desktop App: Create Virtual Smart Card Key" task. profileId The id of the profile under which to store the certificates. This is initially provided by the 'Desktop App: Create Virtual Smart Card Key' task. encryptionCertificate Encryption certificate template. recoveryCertificate Recovery certificate template. processVariable Certificate_CoreObjects Variable name which holds Core object ids list or Core object descriptor list of certificates to be recovered. p12PasswordField p12password Reference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords. smartCardId Virtual smart card id. Usually it will be created via a dedicated number-range. storagePriority desktopKeyProtectionLevel Description
Delete Virtual Smart card profile on Smart ID Desktop App and Smart ID Messaging
Delete mailbox on Smart ID Messaging only
Configuration
${pxVscHermodDeleteProfileTask}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. messageName deleteSmartCardCallback The name of the intermediate message catching event that will be triggered by Smart ID Messaging. errorMessageField ErrorMessage Process variable to put the error message in case of failure. errorTypeField ErrorType Process variable to put the error type in case of failure. profileId ${Card_ProfileId} smartCardId ${Card_VscId} ID of the virtual smart card, as created via 'Desktop App: Create Virtual Smart Card Key'. plugoutUrl plugoutUrl userid ID representing the user on the messaging server. This must match the userid provided when the profile was requested. adminKey oldAdminKey confirmation Description
Configuration
${pxOsHermodKeyCreationTask}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. The name of the intermediate message catching event that will be triggered by Smart ID Messaging. userid errorMesageField Process variable to put the error message in case of failure. errorTypeField Process variable to put the error type in case of failure. profileName Profile name for Smart ID Messaging. Will be displayed in Smart ID Desktop App as heading of the profile. serverName plugoutResultField Process variable to put the resulting Smart ID Plugout URI that will open Smart ID Desktop App on the client machine. desktopKeyProtectionLevel Description
Configuration
${pxOsHermodInstallCertificatesTask}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. The name of the intermediate message catching event that will be triggered by Smart ID Messaging. userid ID representing the user on the messaging server. This must match the userid provided when the profile was requested. errorMessageField Process variable to put the error message in case of failure. errorTypeField Process variable to put the error type in case of failure. deviceEncryptionP10 The PKCS#10 request for the Device Encryption Certificate, created by the "Desktop App: Create Virtual Smart Card Key" task. profileId The id of the profile under which to store the certificates. This is initially provided by the 'Desktop App: Create Virtual Smart Card Key' task. softttokenCertificate Softtoken certificate template. recoveryCertificate Recovery certificate template. processVariable Certificate_CoreObjects Variable name which holds Core object ids list or Core object descriptor list of certificates to be recovered. p12PasswordField p12Password Reference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords. desktopKeyProtectionLevel Description
Configuration
${hermodStartConnectionParametrizedTask}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. boxId Process variable to put the boxId. plugoutUrl Process variable to put the plugout url. messageToUser An optional message to the user which will be displayed in Smart ID Desktop App. messageName The name of the intermediate message catching event that will be triggered by Smart ID Messaging. Description
[{"type":"APDU", "data":"00A4040000", "response":".*(9000)"}]) Configuration
${hermodExecuteScriptParametrizedTask}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. boxId Process variable to put the boxId. scriptCommands [{"type":"APDU", "data":"00A4040000", "response":".*(9000)"}]Process variable containing the script commands. The commands need to be formatted as a JSON array. messageToUser An optional message to the user which will be displayed in Smart ID Desktop App. messageName The name of the intermediate message catching event that will be triggered by Smart ID Messaging. Description
Configuration
${hermodEndConnectionParametrizedTask}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. boxId Process variable to put the boxId. messageToUser An optional message to the user which will be displayed in Smart ID Desktop App. messageName The name of the intermediate message catching event that will be triggered by Smart ID Messaging. Description
Configuration
${jweEncryptTask}
Parameter Mandatory Value Description jweAlgorithm ${transportKeyType} The value as provided by the corresponding app via a callback message. In most cases the default value should be used. RSA-OAEP, RSA-OAEP-256, and RSA1-5 are supported. key ${transportKey} The value as provided by the corresponding app via a callback message. In most cases the default value should be used. Supports only X509 encoded RSA key in byte array. sourceData ${Card_CardManagerKey} The secret to be encrypted. targetField ${encryptedSecret} Process variable to hand over the encrypted secret to the acknowledge task. Description
Configuration
${hermodStartPinResetTask}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. The name of the intermediate message catching event that will be triggered by Smart ID Messaging. userid ID representing the user on the messaging server. This must match the userid provided when the profile was requested. errorMessageField ErrorMessage Process variable to put the error message in case of failure. errorTypeField ErrorType Process variable to put the error type in case of failure. profileId ${Card_ProfileId} Id of the profile whose pin to change, as created via 'Desktop App: Create Virtual Smart Card Key'. smartCardId ${Card_VscId} Id of the virtual smart card, as created via 'Desktop App: Create Virtual Smart Card Key'. boxId boxId Process variable to put the boxId. This will be needed to complete the pin reset. plugoutUrl plugoutUrl Description
Configuration
${hermodStartScPinResetTask}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. The name of the intermediate message catching event that will be triggered by Smart ID Messaging. operation errorMessageField ErrorMessage Process variable to put the error message in case of failure. errorTypeField ErrorType Process variable to put the error type in case of failure. driverType MiniDriver What kind of driver is used for the operation. At the moment only MiniDriver is supported. driverName CardOS Name of the driver to be used . Description
Configuration
${hermodEndPinResetAction}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. The name of the intermediate message catching event that will be triggered by Smart ID Messaging. errorMessageField ErrorMessage Process variable to put the error message in case of failure. errorTypeField ErrorType Process variable to put the error type in case of failure. profileId ${Card_ProfileId} Id of the profile whose pin to change, as created via 'Desktop App: Create Virtual Smart Card Key'. smartCardId ${Card_VscId} Id of the virtual smart card, as created via 'Desktop App: Create Virtual Smart Card Key. boxId ${boxId} The boxId that was created with 'Desktop App: Request PIN Reset on Virtual Smart Card' response ${encryptedChallenge} The challenge received in the callback of 'Desktop App: Request PIN Reset on Virtual Smart Card' encrypted with the card manager key of this VSC using 'Credentials: Calculate Minidriver Offline Unblocking Response'. Description
Configuration
${hermodScEndPinResetAction}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. The name of the intermediate message catching event that will be triggered by Smart ID Messaging. errorMessageField ErrorMessage Process variable to put the error message in case of failure. errorTypeField ErrorType Process variable to put the error type in case of failure. encryptedSecret ${encryptedSecret} Only required, if the secret (like card manager key or pin) in managed by Identity Manager. It is encrypted using the "Desktop/Mobile App: Encrypt Secret for Transport" task. If the secret is entered by the user into the app, this can be omitted. boxId ${boxId} The boxId that was created with 'Desktop App: Request PIN Reset on Virtual Smart Card'. response ${encryptedChallenge} The challenge received in the callback of 'Desktop App: Request PIN Reset on Virtual Smart Card', encrypted with the card manager key of this VSC using 'Credentials: Calculate Minidriver Offline Unblocking Response'. Description
Configuration
${pxVscHermodPingRequestTask}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. errorMessageField ErrorMessage Process variable to put the error message in case of failure. errorTypeField ErrorType Process variable to put the error type in case of failure. profileId ${Card_ProfileId} If provided, restrict requested information to this profile. ProfileId values are created in the 'Desktop App: Create Virtual Smart Card Key' task. plugoutUrl plugoutUrl userid deviceInfo profileInfo commandId commandId Process variable to put the commandId value, which is needed for polling in the "Desktop App: Poll meta data from client" task. Description
Configuration
${pxVscHermodPingResponsePollingTask}
Parameter Mandatory Value Description messagingServer The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. errorMessageField ErrorMessage Process variable to put the error message in case of failure. errorTypeField ErrorType Process variable to put the error type in case of failure. commandId ${commandId} CommandId which was received by the "Desktop App: Ping Virtual Smart card profile" task, needed for polling. profileInfo profileInfo Process variable to put the profile information. deviceInfo deviceInfo Process variable to put the device information.
Miscellaneous
Use this task to create a request for the IN Groupe connector and place it in the process map. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: Example value: statusAfterExport - Example value: - Example value: The configuration file is needed for Identity Manager to know which tag of the IN Groupe request schema should be mapped with the corresponding value from the core object. Format the configuration file as a .properties file. To set the value of a tag, specify the type name of the parent tag and the tag you want to modify, for example: The value can also be a juel expression which is available in the process map. If the expression can not be resolved it will result in an empty string. Expressions that are always available: To set the "reference" attribute that is needed for, for example, "DataType", configure as follows: The part after the "|" symbol represents the reference value. Use this task to read all IN Groupe report files from a folder and update any cards found inside. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: Example value: ConfigurationFilePath Example value: Example value: Example value: The name of the field that references a map, containing all the available mappings between a request status and a card status. Note: The card status values must be present in the state graph, and the transitions from one state to another must be valid. The configuration file is needed for Identity Manager to know, which field of the IN Groupe report schema should be mapped with the corresponding value from the core object. The configuration file has to be formatted as a .properties file. To set the value of a tag, you specify the type name of the parent tag and the tag you want to modify (EntRecType_unRef in the example below). And, on the right side of the equals we have the datapool and the field where the value needs to be written (Card_UniqueReference in the example below). In the import mapping you also have constructs referring to complex objects from a list. To set the "reference" attribute that is needed for, for example, "InfoType", configure as follows: The left part of the "|" symbol shows the "InfoType" tag, which is a list containing some complex objects. The right part of the "|" symbol identifies which complex objects you will take the value from, for example "Serial_Number_CT". The value will then be added to the "CardNumber" field of the Card datapool. Use this task to create an .ics file and store it in the data map. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Value Example value: Valid values: See following example as a reference: Use this task to create a pdf and store it in the datamap. The pdf will be generated from a Jasper Reports template. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: The name of the Jasper Report. Must be available in Identity Manager Admin. It can also be a JUEL Expression (for example, ${myDatapool_myReportNameField}. In this way, the template names from the process map are used dynamically. Use this task to take a valid URL from the datamap and generate a QR code from it. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: QRCodeLinkField Example value: QRCodeOutputField Example value: Use this task to export a binary file from the datamap into a file location on the hard drive (Server side). To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: Example value: Use this task to export an image from the datamap into a file location on the hard drive (Server side). The file extension will be automatically set depending on the image format. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: Example value: Use this task to define a ParametrizedAction which is capable of downsizing pictures inside of a Process. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Defines the maximum size the output file shall be. When the resize doesn't lead to the desired size, the action will perform a quality shrink (defined by spring parameter "qualityStep") as long as the size matches the size given by this parameter. Valid values: Boolean flag which indicates weather the aspect ratio of the image should be kept or not. This is a flowchart of the task: Use this task to import all rows from a CSV file as core objects. The following must apply: Whenever there is a problem with the import, no objects will be imported at all. An exception will be thrown with a message identifying the row or even the cell that caused the problem. This message will be logged, too. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Valid values:: The core template name which should be used for the new core objects. This should be based on a DAO based Datapool. This can be used to limit the number of core objects. If it's set and there are more entries in the CSV, an Exception will be thrown. Same as for createdCoreObjectDescriptorListVarName except that the list will contain the modified core objects. When you configure the same name as for createdCoreObjectDescriptorListVarName the resulting list will contain descriptors for both types of core objects: newly created as well as modified. Specifying a mapping provides manifold possibilities to configure the content of the CSV file. Without a mapping the following restrictions apply: The delimiter must be a comma. The format for dates must be dd-mm-yyyy. Also consider this: If you need to use this service task, please contact Nexus. Use this task to validate the uploaded photos. This task is compatible with FaceVACS-SDK 9.4.0. Follow these steps: To use this task, configure the following delegate expression in your service task: The FRSDK configuration file have to be configured in the faceVACSObjectsCreater bean (needed at runtime). This file can be located in "%INSTALLDIR%/etc/frsdk.cfg". The following parameters can be configured in Identity Manager Admin: Valid values: Valid values: Valid values: Valid values: Valid values: Valid values: Valid values: Valid values: Valid values: Use this task to call a rest endpoint from a BPMN process in Identity Manager, for example, to push certificate, card or user data to a REST end point of a third party system. This service task will always send a POST request. The service task will compile the resolved data into an XML, similar to the format used in the REST Process API: Only the extra parameters of the service task will be added to the request body (see the table below). You need to add the fields you want to export as parameters by clicking the + button next to the service task and adding the parameters with values. The password field will be hidden with dots in Identity Manager Admin. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Url Any String or JUEL expression username Any String or JUEL expression The username for the HttpBasicAuth. password Any String or JUEL expression This will be a secret field containing the password for the HttpBasicAuth. myfield01 Any String or JUEL expression This parameter is added as shown in the example above and will be added to the request body. myCertificate01 Any String or JUEL expression This parameter is added as shown in the example above and will be added to the request body. These are the accepted status codes and reactions: 202 and 204 are not recognized as success and cause an exception. Use this task to generate a random GUID and store it in the data pool. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value:Description
Configuration
${createINGroupeRequestParameterizedTask}
Parameter Mandatory Value Description CoreObjectListFieldName 
Name of the variable in the process map, which contains a list of CoreObjectDescriptors, that should be used to create the request. OutputFieldName Name of the variable in the process map, where the request xml should be output to. ConfigurationFilePath Absolute file path of the configuration file, that should be used to create the request. The configuration file needs to be encoded in UTF-8, to ensure language specific characters are displayed correctly. Status that a card can take when the exporting was successfully done. statusOnError Status that a card can take when the exporting was not successfully done. Configuration file
BatchRequestType_globalSchema = DEMANDES_2.1.XSD
CardType_DataType|Numero_carte = 123456789
Description
Configuration
${importINGroupeReportsParameterizedTask}
Parameter Mandatory Value Description InputFolder The folder which contains all the XML files. ImportedFolder The folder which stores already imported XML files. ProblemFolder The folder which contains XML files that could not be imported. The absolute path to the mapping file. UniqueFieldName The name of the field by which each card can be identified. StatusMappingFieldName Configuration file
EntRecType_unRef = Card_UniqueReference
InfoType|Serial_Number_CT = Card_CardNumber
Description
Configuration
${createIcsFileParametrizedTask}
Parameter Mandatory Description subject The subject of the event. location The location of the event. startTime The start time of the event. endTime The end time of the event. targetField - Specified where the .ics file shall be stored in the data map. allDayEvent - If set to "true" the event will be shown as an allDay event. content Defines the content of the event. 
Description
Configuration
${generatePdfParametrizedTask}
Parameter Mandatory Value Description reportName fieldName The datamap field to which the pdf will be stored (as a byte[]). Description
Configuration
${generateQRCodeTask}
Parameter Mandatory Value Description Describes the data map field in which the link is stored to create a QR code from. The name of the output field to which the QR code ("jpg", byte[]) will be stored. Description
Configuration
${exportBinaryParametrizedTask}
Parameter Mandatory Value Description exportFilePath Defines the folder into which the binary file shall be exported. exportFileName Defines the name of the exported binary. exportDataMapTargetField Defines the datamap field from which the action should export the binary file. Description
Configuration
${exportImageJavaDelegate}
Parameter Mandatory Value Description exportFilePath Defines the folder into which the image shall be exported. exportFileBaseName Defines the base of the exported image. The export will append a time stamp so that it will result in, for example: John_Doe_2019-11-20_10-52-19.jpg exportDataMapTargetField Defines the datamap field from which the action should export the image. Description
Configuration
${resizeImageJavaDelegate}
Parameter Mandatory Default value Description dataPoolSourceField The datapool field in which the source image is stored. dataPoolTargetField The datapool field in which the target image shall be stored. imageWidthInPx The desired image width of the target image in px. imageHeightInPx The desired image height of the target image in px. maxBinarySizeInKB - keepRatio qualityDescreaseStep - 0.05 Indicates the quality decrease step when trying to minimize the quality to reach the desired maxBinarySizeInKB. 
Description
Configuration
${importIdentitiesFromCSVTask}
Parameter Mandatory Value Description csvField The field which contains the CSV file as byte array. You can use a Binary Field or a Variable Binary Field. targetCoreTemplateName commaSeparatedListOfUniqueIdentifiers Comma separated list of the fields which identify one unique core object. maxNumberOfEntriesInCSV createdCoreObjectDescriptorListVarName When used, the variable with the configured name will contain a list of CoreObjectDescriptors after the execution. The list describes the core objects that had been newly created by the action. Thus it's possible to perform subsequent operations on those core objects later in the process. updatedCoreObjectDescriptorListVarName mapping errorMessageField ErrorMessage If this field is provided and an error occurs, a message containing the cause is not only logged but additionally put into the variable with the specified name. Description
Configuration
${cognitecFaceVACSValidationParametrizedTask}
<bean id="cognitecFaceVACSValidationParametrizedAction" class="de.vps.act.action.photo.validation.CognitecFaceVACSValidationParametrizedAction">
<property name="faceVACSChecker">
<bean class="de.vps.act.action.photo.validation.FaceVACSChecker">
<property name="faceVACSObjectsCreator" ref="faceVACSObjectsCreator" />
</bean>
</property>
</bean>
<bean id="faceVACSObjectsCreator" class="de.vps.act.action.photo.validation.FaceVACSObjectsCreator">
<constructor-arg value="C:/FVSDK_9_4_0/etc/frsdk.cfg" />
</bean>
Parameter Mandatory Value Description outputFieldName On which variable the result of checking will be available in data map. photoFieldName Photo field name in data map. checkColor - Returns true if the portrait characteristics are based on color and false if they are based on Gray scale (intensity) image. checkNaturalSkinColour - Natural colours in face region. Returns true if the face region has natural colors, otherwise false. checkFrontal - The face is considered frontal if the rotation of the head is less than +/-5 degrees from frontal for yaw and pitch and if roll angle of head is less then +/-8 degrees. checkEyesOpen - Returns true if both eyes of the person are open. checkEyesGazeFrontal - Returns true if the person’s eyes are looking frontal to the camera. checkEyesNotRed - Returns true if both eyes pupils are not detected as red. checkNoTintedGlasses - According to ISO 19794-5:2005 section 7.2.11 and best recommendations glasses should not be tinted. checkSharp - Returns true if the face area (from chin to crown and from left to right ear) fits the focus and depth in field characteristics(see ISO 19794-5:2005 section 7.3.3). checkMouthClosed - Returns true if mouth is closed according to ISO 19794-5:2005 section 7.2.3 and appendix A 2.2.1 Description
<data>
<field name="myField01">value01</field>
<field name="myCertificate01">Base64EncodedBinary01</field>
</data>
Configuration
${restCallTask}
Parameter Mandatory Value Description The URL endpoint where the data will be sent. Accepted status codes
Status code Reaction 200 Success 300 No exception and no reaction inside code 400 Throws Htppclientexception 500 Throws BPMNError Description
Configuration
${generateGUIDForEntityParameterizedTask}
Parameter Mandatory Value Description GuidDataPoolField Which data pool field to store the GUID in.
Troubleshooting
For more information, see the following links: