Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


This article describes standard service tasks that can be used with Smart ID Identity Manager.

The default values below are only examples. The values must be configured for the desired behavior of the task.

Expand/Collapse All

Parameters and values

Mandatory parameters must not be deleted when you configure a Standard service task. Otherwise the task will fail at runtime. (This is because, currently Identity Manager Admin does not check the existence of mandatory parameters.)

For some parameters of the Standard service tasks, default values at design time are documented here. Those default values are only relevant when configuring a new Service task in Identity Manager Admin. The default value is at this time automatically added as parameter value. It may be changed or the parameter may be deleted by the process designer. In that case, the default value at design time does not have any effect at runtime.

A parameter which is not mandatory may be deleted at design time. At runtime the following default values are in effect, depending on the parameter type:

TypeDefault value at runtime
DateCurrent date, measured to the nearest millisecond
Booleanfalse
(other)null

Standard service tasks

Card Production


Description

Use this task to run a search on the Nexus GO Cards ordering API to get the status of an order which was previously launched through Nexus GO Cards production.

Configuration

To use this task, configure the following delegate expression in your service task:

${caasCardOrderStatusAction}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatorySample valueDescription
orderId


This is the orderId (or requestId) provided by Nexus GO Cards when a cardOrder is placed.
statusVariableKeyName

  • valid
  • pending
  • etc.

Defines the parameter name (for example orderStatus) which will contain the order status defined by the above orderId.

EM_rfIdType-


This parameter determines the variable name for the rfid of type EM.
MIFARE_rfIdType-
This parameter determines the variable name for the rfid of type MIFARE.
HITAG_rfIdType-
This parameter determines the variable name for the rfid of type HITAG.
LEGIC_rfIdType-
This parameter determines the variable name for the rfid of type LEGIC.
CAAS_SERVICE_NOT_AVAILABLE-
This parameter can be used in BPMN to react on errors regarding the CaaS Service.

When the status order is retrieved from Nexus GO Cards, the RFIDs readouts can have multiple entries for the same type.

For example:

{
    "foundCount": "1",
    "order": {
        "orderId": "3541415",
        "created": "2018-08-29 13:51:02",
        "orderStatus": "Valid",
        "orderStatusId": "1",
        "cardNumber": "BB-1808-636328",
        "layoutId": "147424",
        "productionDate": "2018-08-29",
        "validThru": "2023-08-29",
        "personName": "Demo, Dynamics",
        "readouts": [
            {
                "type": "EM_HEX_LSB",
                "uid": "9876543"
            },
            {
                "type": "EM_HEX_MSB",
                "uid": "12345678"
            }
        ]
    }
}

For these cases, the first value of the same type is used (EM_HEX_LSB and EM_HEX_MSB are considered to be of the same type).

Description

Use this task to execute card productions on the server side. The service tasks supports execution of encodings via Card SDK or the JPKIEncoder integrated in Identity Manager. Printing is currently not supported.

Configuration

To use this task, configure the following delegate expression in your service task:

${serverSideCardOperationTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatorySample ValueDescription
encodingName

PcmEncProduceEmployeeCardName of the encoding description to be executed
cardSDK-trueFlag to configure if the encoding should be executed through the Identity Manager server directly or through Card SDK. Default is true, which means that the encoding is executed through Card SDK.

Certificates


Description 

Use this task to trigger a republishing or unpublishing action for a specific certificate on the Nexus CM based on the configured publication procedure.

Configuration

To use this task, configure the following delegate expression in your service task:

${certificatesPublicationTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatorySample ValueDescription
publicationProcedure

CertEP CA Certificate to AD (Enrollment Services)Publication procedure defined on the CM.
serialnumberField

Certificate_CertSerialName of the field containing the serial number in the datamap.
DataPoolName_Certificate

CertificateDatapool name of certificate.
serialNumberIsDecimal-true

Indicates that the serial number is in decimal format already.

If this field is set to "false" or left out, the serial number will be interpreted as hex format.

Description

Use this task to create an ACME pre-registration order in Nexus Certificate Manager. You need to use Smart ID Certificate Manager 8.1 or later.

If you apply the CMSDK 7.18.1 downgrade package for PRIME 3.12, then this task will not be available.

Configuration

To use this task, configure the following delegate expression in your service task:

${acmePreRegistrationTask}


The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
hmackey


The shared secret to secure the further communication
keyid


Identifies the account
alloweddomains

-


A comma-separated list of domains, that the account is allowed to order certificates for.

certificateTemplate


Defines the CA connection and the certificate procedure for pre-registration. For details concerning the procedure, see Example: ACME configuration in Protocol Gateway.

Description 

Use this task to register or de-register Enrollment over Secure Transport (EST) order requests to Smart ID Certificate Manager (CM).

The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) EST enrollment request from specified clients. This service task parameters can be extended for other  certificate attributes which is listed below.

Configuration

To use this task, configure the following delegate expression in your service task:

${estOrderRequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
certTemplate

Example value:

  • ScmCtServerCertificateP10
Certificate template name which has token procedure and CM information.
commonName

Example value:

  • Nexus GmbH

Common name

userName

-


User name which is allowed to make EST request.
password


Password is used to verify EST enrollment requests sent by clients later. So it will be the same password which will be used by clients in EST enrollment request.

state

Valid values:

  • Open (default)
  • Closed

This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at CM.

It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default.

validity-

Valid values:

  • always (default if not set)
  • number of days
Validity value of the request order, either "always" or the number of days. CM defaults to 'always' if not set.
realm-

Example value:

  • est-realm
realm details

Info

Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below.

  • country
  • commonname
  • emailaddress
  • dmd
  • givenname
  • initials
  • keyprocedureid
  • locality
  • organisation
  • organizationidentifier
  • pseudonym
  • title
  • uniqueidentifier
  • surname
  • telephonenumber
  • street
  • stateorprovince
  • postalcode
  • encoding
  • othernameoid
  • othernameencoding
  • othernamevalue

Following attributes can be provided as single value or multiple values as comma separated values.

  • organisationunit
  • postaladdress
  • sanemailaddress
  • ipaddress
  • dns
  • directory
  • uri
  • registeredid

Description 

Use this task to register or de-register Simple Certificate Enrollment Protocol (SCEP) order requests to Nexus Certificate Manager (CM). 

The task will be executed on server identities and use some details of the server identities for creating order request. The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration)  SCEP enrolment request from specified clients. This service task parameters can be extended for other  certificate attributes which is listed below.

Configuration

To use this task, configure the following delegate expression in your service task:

${scepOrderRequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
certTemplate


Certificate template name which has token procedure and CM information.
commonName


Common name parameter defines the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed. Domain name of the machine or server.

It is not possible to have multiple FDQNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com"

enrollReg

 trueRegistration enrolment flag (true/false).
password


Password is used to verify SCEP enrolment requests sent by clients later. So it will be the same password which will be used by clients in SCEP enrolment request.

cpmState


This value decides whether this is a registration or a de-registration order request at CM.

Set to 1000 to trigger a registration, 1001 to trigger a de-registration

validity

Validity value of the request order, either "always" or the number of days. CM defaults to 'always' if not set.
emailAddress

Email address of the responsible person.
ipAddress

IP address of the server of machine.
serialNumber

Serial number of the device if available. It is not mandatory so it can be blank.

Info

Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below.

  • country
  • commonname
  • emailaddress
  • dmd
  • givenname
  • initials
  • keyprocedureid
  • locality
  • organisation
  • organizationidentifier
  • pseudonym
  • title
  • uniqueidentifier
  • surname
  • telephonenumber
  • street
  • stateorprovince
  • postalcode
  • encoding
  • othernameoid
  • othernameencoding
  • othernamevalue

Following attributes can be provided as single value or multiple values as comma separated values.

  • organisationunit
  • postaladdress
  • sanemailaddress
  • ipaddress
  • dns
  • directory
  • uri
  • registeredid

Description

Use this task to send a PKCS#10 to the configured CA. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration.

Configuration

To use this task, configure the following delegate expression in your service task:

${executePKCS10RequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatorySample ValueDescription
P10RequestFormEntry

p10inputProcess variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file.
P10RequestFormResult

certResultProcess variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.
P7ResponseField-certChainProcess variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container.
certTemplate

ScmCtServerCertificateP10Certificate template name.
booleanResultWithPEMHeaders-trueConfigures whether the resulting certificate should be the utf-8  bytes of a PEM encoded certificate like 
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.

There are two types of BPMN error thrown when we have issue while requesting certificate from CA.

  • Error Code = CaConnectionFailed 
            - This BPMN Error code appears when we have any connection issue with CA.
  • Error Code = CaRequestFailed
           - This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.

Update Note

In versions 3.12.5 and 20.06.0 this task was named Cert: Execute Plain Request with delegate expression ${executePlainRequestTask} .

Processes referencing the old expression have to be adjusted when updating to a newer version like 3.12.8 / 20.06.1 / 3.13.0.

Description

Note

This task works with Nexus Certificate Manager only. Other certificate authorities are not compatible.

Use this task to send a certificate request based on extracted PKCS#10 data (via Cert: Extract PKCS#10 Attributes From Request) combined with certificate template data. Mapped Certificate data-pool field values in the certificate template can be populated with extracted PKCS#10 data or set to custom values. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration.

Configuration

To use this task, configure the following delegate expression in your service task:

${executeModifiedPKCS10RequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
P10RequestFormEntry

Example value:

  • p10input
Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file.
P10RequestFormResult

Example value:

  • certResult
Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.
certTemplate

Example value:

  • ScmCtServerCertificateP10
Certificate template name.
booleanResultWithPEMHeaders-

Example value:

  • true
Configures whether the resulting certificate should be the utf-8  bytes of a PEM encoded certificate like 
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.
P7ResponseField        -

Example value:

  • certChain
Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container.

There are two types of BPMN error thrown when we have issue while requesting certificate from CA.

  • Error Code = CaConnectionFailed 
            - This BPMN Error code appears when we have any connection issue with CA.
  • Error Code = CaRequestFailed
           - This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.

Description

Use this task to extract attributes from a certificate. 

Configuration

To use this task, configure the following delegate expression in your service task:

${extractCertAttributesTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryExample ValueDescription
X509Field

Certificate_DataThe name of the field containing the certificate as binary data. It must be contained in the process map.
RSAPublicExponent-Cert_publicExponentField to store the public exponent of RSA certificates as BigInteger. Null for ECC certificates.
keySize-Cert_keySizeField to store the key size of the certificate's public key as Integer.
keyType*-Cert_keyTypeField to store the keyType description. For EC keys this also includes the curve name. Note: the format is subject to change!
keyUsage*-Cert_keyUsageField to store the key usages.
extKeyUsage*-Cert_extKeyUsageField to store the extended key usages.
hashAlgorithm*-Cert_hashAlgorithmField to store the hash algorithm name.
validFrom-Cert_validFromField to store the start date of the validity period as Date.
validTo-Cert_validToField to store the end date of the validity period as Date.
subjectDN-Cert_subjectDNField to store the subject distinguished name.
issuerDN-Cert_issuerDNField to store the issuer distinguished name.
certSerialNumber-Cert_serialNumberField to store the serial number.
cdpUrls*-Cert_cdpUrlsField to store a concatenated string of all CRL distribution point URLs in. They are comma-space-separated.
ocspUrls*-Cert_ocspUrlsField to store a concatenated string of all OCSP responder URLs in. They are comma-space-separated.
SAN_EMAIL-Cert_sanEmailField to store the SANs email addresses.
SAN_UPN-Cert_sanUpnField to store the SANs user principal names.
SAN_DNS-Cert_sanDnsField to store the SANs dns names.
SAN_IP-Cert_sanIpField to store the SANs ip addresses.
SAN_URI-Cert_sanUriField to store the SANs uniform resource identifiers.
SAN_GUID-Cert_sanGuidField to store the SANs globally unique identifiers.
SAN_RID-Cert_sanRidField to store the SANs registered IDs.
GIVENNAME-Cert_DN_GIVENNAMEField to store the given name.
SURNAME-Cert_DN_SURNAMEField to store the surname.
C-Cert_DN_CField to store the country.
CN-Cert_DN_CNField to store the common name.
L-Cert_DN_LField to store the locality.
O-Cert_DN_OField to store the organization.
OU-Cert_DN_OUField to store the organizational unit.
ST-Cert_DN_STField to store the state.

In case of error

The following parameters are set in case of error:

ParameterMandatoryValueDescription
ExtractionResult*

-

Valid values:

  • success (default)
  • error

The value is default set to "success".

If one of the following errors occurs, the value is set to "error":

  • The field containing the certificate is empty.
  • One of the attributes exceeds 2000 characters (limitation by Activiti).
ExtractionResultErrorMsg*-

Valid values:

  • "Certificate data is empty"
  • "The attribute 'xy' exceeded 2000 characters."
If one of the errors in "ExtractionResult" occurs, this variable is set to "Certificate data is empty" or to "The attribute 'xy' exceeded 2000 characters."

* - These parameters require PRIME 3.12.4 or later.

Description

Use this task to extract all subject DN attributes, as well as the SAN attributes from a PKCS#10 request. The parameter value of P10RequestFormEntry has to match the symbolic name of the field in the PKCS10RequestEntryForm where the CSR file is uploaded. The extracted attributes will be put into the process data map under keys <valueOfP10RequestFormEntry><attributeName>, for example, PKCS10RequestFormEntryCn for the default value of P10RequestFormEntry and CN attribute or PKCS10RequestFormEntrySANEMAIL for San Email.

Configuration

To use this task, configure the following delegate expression in your service task:

${extractPKCS10AttributesFromRequestTask}

The following parameters can be configured in Identity Manager Admin

ParameterMandatoryValueDescription
P10RequestFormEntry

Example value:

  • p10input

Process variable containing the content of a CSR file as an array of bytes. The CSR file might be either PEM encoded or binary.

Extracted attributes

Subject DN attributesPrefixResult
  • Email = E
  • Common Name = CN
  • Country = C
  • Organisation = O
  • Title = T
  • Surname = SURNAME
  • State = ST
  • Given Name = GIVENNAME
  • Organisation Unit = OU
  • Serial Number = SN
  • Unique Identifier = UID
  • Street = STREET

PKCS10RequestFormEntry

  • PKCS10RequestFormEntryE
  • PKCS10RequestFormEntryCN
  • PKCS10RequestFormEntryC
  • PKCS10RequestFormEntryO
  • PKCS10RequestFormEntryT
  • PKCS10RequestFormEntrySURNAME
  • PKCS10RequestFormEntryST
  • PKCS10RequestFormEntryGIVENNAME
  • PKCS10RequestFormEntryOU
  • PKCS10RequestFormEntrySN
  • PKCS10RequestFormEntryUID
  • PKCS10RequestFormEntrySTREET

SAN attributes

PrefixResult
  • SAN EMAIL = SANEMAIL
  • SAN GUID = SANGUID
  • SAN DNS = SANDNS
  • SAN UPN = SANUPN
  • SAN IP = SANIP
  • SAN RID = SANRID
PKCS10RequestFormEntry
  • PKCS10RequestFormEntrySANEMAIL
  • PKCS10RequestFormEntrySANGUID
  • PKCS10RequestFormEntrySANDNS
  • PKCS10RequestFormEntrySANUPN
  • PKCS10RequestFormEntrySANIP
  • PKCS10RequestFormEntrySANRID
Other attributesPrefixResult
  • Key size
  • Algorithm (+ curve)*
  • HashAlgorithm
  • (as boolean) = the signature is valid
PKCS10RequestFormEntry
  • PKCS10RequestFormEntryKeySize
  • PKCS10RequestFormEntryKeyType
  • PKCS10RequestFormEntryHashAlgorithm
  • PKCS10RequestFormEntrySignatureValid

*Extracting the curve name currently does not work if Identity Manager and Identity Manager Admin run on the same Tomcat instance due to a classloader issue with JCE providers. In that case only the algorithm name is shown ("ECDSA") without the curve appended.

Description

Use this task to fetch the IDs of the latest certificates to be recovered and put them in the process map in a format suitable for key recovery. The user whose certificates will be fetched, is the user found in the process map. The certificates that will be fetched are the <count> latest certificates of type <certTemplate> related via ObjectRelations directly to the user or related over a Card to the user.

SKI (Secure Key Injection): It will look for associated cards of the person and retrieve thumbprint information if the card ICCSN is provided in the process map. This thumbprint will be saved into the process map if it is available in the database.

Configuration

To use this task, configure the following delegate expression in your service task:

${prepareDataForCertificateKeyRecoveryTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryExample valueDescription
certTemplates


A comma separated list of the certificate core template names of the certificates to be recovered.
count


Fetch the IDs of the latest <count> certificates.

processVariable


The process variable name where to put the IDs. The default value is "Certificate_CoreObjects". This default is taken from the action-beans.xml, bean id="keyArchivalRequestPreProcessor" and bean id="certificateKeyRecovery", bean/[@id="keyArchivalRequestPreProcessor"]/property/[@name="coreObjectIDKey"}/@value. You should use this default, unless there is an urgent requirement for changing it.

DataPoolName_Certificate


The datapool name of the Certificate core object.
DataPoolName_Person


The datapool name of the Person core object.
DataPoolName_Card


The datapool name of the Card core object.
ObjectRelationType
Example value: 
Default, Deputy

A comma separated list of related object types between Persons, Cards and Certificates (e.g. Default, Deputy).

When this value is provided then the task will load only a person's certificates with matching relations into the process variable, otherwise it will load certificates with all available relation types.

This is a general white-list, which does not distinguish between the objects involved in a relation, like Person<>Card, Person<>Certificate, Card<>Certificate, etc. Therefore you have to be very careful in constructing the relations to avoid accidental recovery of unwanted certificates.

Example

Let's assume that no direct Person<>Certificate relations exist (because no soft tokens and only cards were produced) and all Person<>Card relations use the type "Default". Then "Default" has to be part of the list. Otherwise no card could be found, and thus also no certificates of the card.

Let's also assume that some Card<>Certificate relations also use the type "Default", but you only want to recover those with type "User".

Then you will have a problem, because ObjectRelationType=Default, User will recover both types, and ObjectRelationType=User will recover nothing, as the parent relation between Person<>Card does not match.

To avoid this, make sure that all Card<>Certificate relations use a dedicated type. Soft token certificates related directly to a person will always use the default type, so they should not use the same certificate template as the ones on a card, if you do not want to include them.

To use this task, select it in Identity Manager Admin and configure the above parameters. No bean configuration is required. In a later action you must perform the Key Recovery.

Description

Use this task to archive and/or recover PGP certificates from Smart ID Certificate Manager.

When new certificates are requested, the values will be taken from the certificate template configured under "archivalTemplate". The following attributes can be set:

AttributeDescription

Common Name (CN)

Expression that defines the CN sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager.

Email (SAN_EMAIL)

Expression that defines the SAN_EMAIL sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager.

Surname (SURNAME)

Expression that defines the SURNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager.

Givenname (GIVENNAME)

Expression that defines the GIVENNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager.

Configuration

To use this task, configure the following delegate expression in your service task:

${executePgpSoftTokenAction}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryDefault value / ExampleDescription
requestAndArchive

true (default value)If true, then a new PGP keys will be requested and archived (you cannot request new keys that are not archived)
passwordField

Person_PasswordRefName of secret field in which the password for encrypting the secret keyrings is provided
archivalTemplateif requestAndArchive true PkiBoPgpCert

Name of the PGP archival certificate template configured in Identity Manager, must match the config of ${prepareDataForCertificateKeyRecoveryTask}

archivalSubjectSerialNumberPrefix-${Person_UPN}Expression that defines an optional prefix for the generated subjectSerialNumber, so the final SSN may look something like this: "MyResolvedPrefixc97cb0de-
4774-454c-8568-82fbcd6ee710"
recover

true (default value)If true, then existing PGP keys for the user will be recovered
recoveryTemplateif recover truePkiBoPgpRecoveryName of the PGP recovery certificate template configured in Identity Manager
certificatesForRecoveryif recover true Certificate_CoreObjects

Process var containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover

mailDefinitionNameif publicKeyringsField and secretKeyringsField missing PGP Softtoken MailName of the mail definition for the PGP softtoken mail (no mail will be sent if this is missing)
mailEncryptionCertificates- Certificate_EncProcess var containing the core object descriptor list of the certificates, which will be used to encrypt the softoken mail.
publicKeyringsFieldif mailDefinitionName missingPublicPgpKeyRefForDownloadName of the process var into which to save the secret field reference of the ASCII-armored public keyring data (a new secret field entry is created and its ref saved to the processmap)
secretKeyringsFieldif mailDefinitionName missing SecretPgpKeyRefForDownloadName of the process var into which to save the secret field reference of the ASCII-armored secret keyring data (a new secret field entry is created and its ref saved to the processmap)
errorMessageField

ErrorMessage (default value)Name of the process var into which the BpmnError message is saved if one is thrown
errorTypeField

ErrorType (default value)Name of the process var into which the BpmnError type is saved if one is thrown
ssnsIssuedNotPropagatedField

SubjectSerialNumbersIssuedNotPropagated (default value)Name of the process var into which a list of issued but not propagated subjectSerialNumbers is saved if a BpmnError is thrown (you could use this information to unpublish, this might require additional lookups in CM, though)

Description

Use this task to query a certificate from a certificate authority, put it into a PKCS#12 Container and either save it to secret field store or send it via email. There are two ways to query the data base:

  • Recover the certificates found in process variable.
  • Request a new certificate (using a plain request).

Both methods can be combined or used independently. If no certificate is queried the task will fail.

Due to [https://bugs.openjdk.java.net/browse/JDK-8214513] the generated PKCS#12 keystores can not be opened with java < 11.0.3 unless BouncyCastle (BC) is used as a KeyStore provider.

  • Windows can open the generated P12.
  • Java with Boucycastle can open the generated P12.
  • Java >= 11.0.3 without BC can open the generated keystores, however the encoding parameters selected in the softtoken task must be supported by the SUN KeyStore provider. The defaults are not supported. You must use for example:
    • Encryption algorithm: PBE with SHA-1 and 3-key triple DES with CBC (OID: 1.2.840.113549.1.12.1.3)
    • PRF: HMac with SHA-1 (OID: 1.2.840.113549.2.7)
    • Hashing algorithm: SHA-1 (OID: 1.3.14.3.2.26)
  • Nexus Personal Desktop Client can import the generated P12, however versions up to at least 5.2.3 require the weaker algorithms shown above for Java without BC
  • Nexus Personal Desktop App can import the generated P12, however versions up to at least 1.3.6 require the weaker algorithms shown above for Java without BC

Configuration

To use this task, configure the following delegate expression in your service task:

${executeSoftTokenRequestAndRecovery2}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
p12PasswordField

Example value:

  • Person_PasswordRef
Password variable field for the generated PKCS#12 container. There are actions to create one.
recoverCerts

Valid values:

  • true (default)
  • false
Whether recovery should be executed.
processVariableIf recoverCerts = true

Example value:

  • Certificate_CoreObjects
Process variable containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. 
recoveryTemplate-

Example value:

  • Revocery
Certificate template used for recovery. Not necessary for some CAs.
requestCert

Valid values:

  • true (default)
  • false
Whether a new certificate should be requested (Plain request).
certTemplateIf requestCert = true

Example value:

  • MyCertTemplate
Certificate template used for requesting the new certificate.
includeChain-

Valid values:

  • true (default)
  • false
If present and set to false, the certificate chain is skipped and only end-entity certificates will be included.
keyArchival

Valid values:

  • true (default)
  • false
Whether the created key are archived in the CA.
mailDefinitionName-

Example value:

  • MyMailDefinition
If empty, no mail is sent.
encryptionCertificates-


The core object descriptor list of the certificates used for email encryption.
p12RefField-

Example value:

  • Person_Softtoken
Field to store PKCS#12 container in Base64 encoding.
errorMessageField

Example value:

  • ErrorMessage
Field to store the human readable message in case of error.
errorTypeField

Example value:

  • ErrorType
Field to store error type (ERROR, CA_ERROR or MAIL_ERROR).
certsToRevokeField

Example value:

  • CertsToRevoke
In case of error, the newly created certificates are stored as list of core object ids. These certificates can in turn be revoked by the process if desired.
p12EncryptionAlgo-

Valid values:

  • PBE with SHA-1 and 3-key triple DES with CBC (OID: 1.2.840.113549.1.12.1.3)
  • AES 256 with CBC (OID: 2.16.840.1.101.3.4.1.42)

Default value:

  • AES 256 with CBC (OID: 2.16.840.1.101.3.4.1.42)
The encryption algorithm to use for the PKCS#12 keystore.
p12EncryptionIterations-

Default value:

  • 100000
The encryption iterations
p12PseudoRandomFunction-

Valid values:

  • HMac with SHA-1 (OID: 1.2.840.113549.2.7)
    HMac with SHA-256 (OID: 1.2.840.113549.2.9)

Default value:

  • HMac with SHA-256 (OID: 1.2.840.113549.2.9)
The PRF to use for the PKCS#12 keystore
p12HashAlgo-

Valid values:

  • SHA-1 (OID: 1.3.14.3.2.26)
  • SHA-256 (OID: 2.16.840.1.101.3.4.2.1)

Default value:

  • SHA-256 (OID: 2.16.840.1.101.3.4.2.1)
The hashing (MAC) algorithm to use for the PKCS#12 keystore
p12HashIterations-

Default value:

  • 100000
The hashing (MAC) iterations

Description

Use this task to revoke an existing certificate. This task needs to be executed on a Certificate object or with Certificate data available in the process map.

Configuration

To use this task, configure the following delegate expression in your service task:

${revokeCertificateTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
certificateDataPool

Example value (fixed):

  • Certificate

Example value (resolved from variable):

  • ${certDataPool}
Certificate data pool name. Default Certificate data pool is "Certificate".
targetState

Example value (fixed):

  • Temporary Inactive

Example value (resolved from variable):

  • ${certState}

Target state of certificate

Description

Use this task to trigger a republishing or unpublishing action for a specific PGP certificate on Nexus Certificate Manager (CM), based on the configured publication procedure.

PGP publication requires either CM 7.18.0 with hotfix 7.18.0.2 applied, CM 7.18.1 with hotfix 7.18.1.1 applied or any later version. Officially supported in PRIME 3.10.

Configuration

To use this task, configure the following delegate expression in your service task:

${pgpCertificatesPublicationTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
publicationProcedure

CertEP CA Certificate to AD (Enrollment Services)Publication- or unpublication procedure defined on CM.
serialnumberField

Certificate_CertSerial

Name of the field containing the serial number in the datamap. This is the subject serial number which Identity Manager assigns when requesting a PGP certificate. It is stored in place of an X509 certificate serial number in the Identity Manager certificate object.

DataPoolName_Certificate

CertificateDatapool name of certificate.

Cert QuoVadis PKI


Description

Use this task to create a new domain request in the QuoVadis Certificate Authority. It is saved as a request core-object in a dedicated data-pool.

Prerequisites

Data-pool

  1. The data-pool must have the fields shown below. Pay special attention to the name of the Meta_CoreObjectState_-field which needs to end with the matching data-pool name:
  2. Note the field TransactionId which is used to store a UUID assigned by QuoVadis to each domain request. It is required to later query the status of the request.
    Usually the internal Requests table is used as data-source as shown below:

State-graph

  1. The state-graph must contain at least the following states: pending/approved/rejected (case-insensitive), with transitions from pending to both approved and rejected.
  2. If you want to disambiguate requests that did not yet have their state queried at the CA from those which are pending according to the CA, then add a start state sent before pending, as shown below, but this is optional (pending will be the start state when not using sent).

Request core-template

  1. You need a request core-template which uses the above data-pool and state-graph definitions:

Search-configuration (optional)

  1. Optionally you may configure a search-configuration for your request core-objects, for example, like this:

Configuration

To use this task, configure the following delegate expression in your service task:

${quoVadisRequestDomainParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatorySample ValueDescription
quoVadisConnection

MyQvConnectorConfigQuoVadis connection name.
organisation

My QV OrganisationQuoVadis organisation name.
adminEmail

qvadmin@mycompany.comQuoVadis administrator e-mail address.
domain

my.new.domain.comDomain or IP-address for which to issue the request.
isEV

falseWhether you want to use extended validation with this domain.
requestTemplate

QvDomainRequestThe core template name which should be used for the new QuoVadis domain request core objects.
errorMsgField

ErrorMsgThe name of the field in which to save the error message for errors that happen during CA request or when saving of the core-object.
If no such error happened, then this field is not set.
errorCodeField

ErrorCodeThe name of the field in which to save the error code for errors that happen during CA request or when saving of the core-object.
This can be either of the following:
  • caRequestFailed
    → could not issue the domain request at the CA
  • saveFailed
    → domain request was successful, but creating the request core-object failed

If no such error happened, then this field is not set.

Description

Use this task to query the status of a QuoVadis domain request in the Certificate Authority and update the state of the request core-object in Identity Manager accordingly.
This task requires a QuoVadis domain request core-object to be loaded into the process map before execution.

The QuoVadis API does not allow any other kind of interaction with a created domain request besides querying its status. For example, to cancel a request is not supported.

Prerequisites

The prerequisites of the Cert QuoVadis PKI: Create domain request task above also apply here.

Configuration

To use this task, configure the following delegate expression in your service task:

${quoVadisUpdateDomainRequestStatusParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatorySample ValueDescription
quoVadisConnection

MyQvConnectorConfigQuoVadis connection name.
organisation

My QV OrganisationQuoVadis organisation name.
requestDataPool

DpQuoVadisDomainRequestData-pool for QuoVadis domain requests.
errorMsgField

ErrorMsgThe name of the field in which to save the error message for errors that happen during CA request or when saving of the core-object.
If no such error happened, then this field is not set.
errorCodeField

ErrorCodeThe name of the field in which to save the error code for errors that happen during CA request or when saving of the core-object.
This can be either of the following:
  • caRequestFailed
    → could not query the domain request status at the CA
  • saveFailed
    → querying the request status was successful, but could not update the state of the request core-object

If no such error happened, then this field is not set.

Description

Use this task to save account domain list from QuoVadis Certificate Authority into Identity Manager lookup table. This task deletes the old domain list entry and creates a fresh entry in the configured lookup table.

Prerequisites

Create a lookup table-based datapool and core template name for storing the domain list information into Identity Manager.

Datapool

  1. The datapool must have the fields with the described names as shown in this figure. This field names are fixed and taken from DomainInfo response.

  2. Configure the datapool datasource as lookup table as shown in this figure:

       

Lookup table

  1. Create a lookup table which belongs to the Domain data pool. Any state graph can be assigned to this lookup table. 

       

Configuration

To use this task, configure the following delegate expression in your service task:

${quoVadisDomainListUpdateParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
quoVadisConnection


QuoVadis connection name.
coreTemplateName


The core template name which should be used for the new core objects. This core template should consist of lookup table type DomainList Datapool.

Core Objects


Description

Use this task to check if a relation between two core objects exists. The names of both data pools have to be provided. The direction of the relation is not relevant, meaning that source and destination may be exchanged.

Configuration

To use this task, configure the following delegate expression in your service task:

${checkObjectRelationParametrizedTask}


The following parameters can be configured in Identity Manager Admin:

ParameterMandatorySample ValueDescription
sourceDataPoolName


The name of the source data pool that is used to check the relation with the destination data pool.

destinationDataPoolName


The name of the destination data pool that is used to check the relation with the source data pool.
resultVariable


The name of the field indicating if a relation between the source and destination data pool exists. Contains either a "true" or "false" value.

"True" means that the objects are related to each other. "False" means that there is no relation between them.

Description

Use this task to create a relation between two core objects.

Object Relations tab

In this tab you manage the object relation types. A default entry is already set per tenant. Exactly one configuration must be the default configuration which is used when saving data, see Set up process in Identity Manager, the Save Data task.

Include these two fields in an object relations configuration:

  • Name: name of the object relation type
  • Default: determines if this configuration should be the default configuration

Configuration

To use this task, configure the following delegate expression in your service task:

${createRelationParametrizedJavaDelegate}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

source


Data pool name of the source of the relation, which has to be created. The core template name of this data pool will be saved in the database.

destination


Data pool name of the target of the relation, which has to be created. The core template name of this data pool will be saved in the database.

includeRelationTypeToCompareOfObjects

Valid values:

  • true
  • false (default at design time) 

Flag indicating if the relation type should be included when searching if the relation already exists. If you want to create multiple relations of different types between two core objects this parameter has to be set to true.

exceptionIsThrownIfRelationAlreadyExists

Valid values:

  • true (default at design time)
  • false

Flag indicating how the application reacts if the relation already exists. If set to "true" then throw Exception, else do nothing.

relationType

Default
Type of the relation. The object relation type must exist or an exception is thrown.

Description

Use this task to remove existing relations between objects. The removal applies for all relations between one specific object and either:

  • a single second object, or
  • all other objects belonging to the named Data Pool
  • all other objects belonging to the named template.

Furthermore, it is independently possible to restrict the removal to relations of a specific type.

Example: An employee started working with a replacement card. Later he or she receives an employee card. The connection to the reusable replacement card can then be removed.

  • Single: Both objects must be loaded into the process map before the relation can be dropped.
  • Either secondDataPoolName, secondDataPoolNameDropAll, or coreTemplateName must be provided. Only one of them is allowed. The ones that are not used must be deleted.

Configuration

To use this task, configure the following delegate expression in your service task: 

${dropRelationsParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

dataPoolName


Data pool name of the object whose relation shall be removed.

secondDataPoolName-


(warning) Only one of these three parameters is allowed to be filled!

Single Drop: Data pool name of the second single object. This object has to be available inside the Process Map.
secondDataPoolNameDropAll-Data pool Drop: Name of a Data pool. Relations to all objects belonging to this data pool are removed.
coreTemplateName-Core Template Drop: Name of a Core template. Relations to all objects belonging to this template are removed.

objectType



Deprecated. This parameter has the same meaning as coreTemplateName and is only provided for downgrade compatibility.

relationType-
When configured, only relations of the specified type are removed.

Description

Use this task to find core objects (for example, soft tokens), that will expire within a given time range.

Configuration

To use this task, configure the following delegate expression in your service task:

${coreObjectExpiryCheckParameterizedTask}

 The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription

coreTemplateNameList


Comma separated list of core template names that shall be the base of the search.
fieldName


Name of the data pool field that indicates the expiration date, for example, ValidTo. The data pool must belong to the core template(s) mentioned above.
offsetInDays


The offset in days before the related core objects expire.

The base is the field specified by fieldName, for example ValidTo. If you provide a value for offsetInDays, then logically it is

ValidTo - offsetInDays = dateToFindSofttoken

  • If dateToFindSofttokens is still in the future compared to the currentDate, then the soft token will not be found.
  • If dateToFindSofttokens is equal to the current date or if it is in the past, then the soft tokens will be found.

Example:

Expiry date of a soft token is 31st March 2017. If the offsetInDays is set to 30, the service task will only find the soft token with the beginning of 1st March 2017.

coreObjectIdListVariableName-CoreObject_Ids

Name of the variable containing the core objects that were found during the search. It contains only the core object ids.

Example: PcmDpCertificate_Coreobjects

Meta_CoreObjectState_Field


Name of the data pool field that indicates the state of the core object. The data pool must belong to the core template(s) mentioned above.

Example: Meta_CoreObjectState_PstmDpCertificate or Meta_CoreObjectState_BaseDpEmployee

Meta_CoreObjectState_Value


The actual state that shall be used for filtering the search.

Example: issued, active etc.

Credentials


Description 

Use this task to generate a response using the card manager key and a challenge for the offline unblocking process.

Configuration

To use this task, configure the following delegate expression in your service task:

${challengeResponseGeneratorTask}

 The following parameter can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
CardManagerKeyField


The name of the field that needs to hold the reference value to the card manager key (for example, Card_CardManagerKey). Must be a reference field.
ChallengeField


The challenge provided by Windows or a 3rd party tool, such as "CV act sc interface manager" in case of Cryptovision.
ResponseField


The response is generated by this task to support unblocking.
DisableDerivation-false

Set to "true" if you want to use the CardManagerKey directly as challenge/response key instead of deriving one.

This is relevant for non-Cryptovision middlewares (for example, CardOS or Gemalto), where we directly use a 3DES CardManagerKey instead of a 2DES key from which the actual challenge/response key is derived.

If the field is absent, derivation is enabled and a 2DES CardManagerKey is expected.

DisableDerivationField-

If present, points to a field containing the (override) value of DisableDerivation.

If both DisableDerivation and DisableDerivationField are present and the referenced field contains a value, the latter takes precedence. This is mainly intended for deployments that deal with multiple middlewares, which require different DisableDerivation values (for example CV + CardOS).

The following dependencies must be configured in the Spring configuration:

DependencyDescription

secretFieldsArchiver

Responsible for archiving the secrets into the secret field store.

Description 

Use this task to generate a 2DES / 3DES key as card manager key for minidriver compatible cards. The value generated is saved in an encrypted field.

Configuration

To use this task, configure the following delegate expression in your service task:

${cardManagerKeyProviderTask}

 The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
passwordFieldName


The name of the field that should hold the reference value to the card manager key (for example, Card_CardManagerKey). Must be a reference field.
blockCount-2Desired key length in blocks of 8 bytes. By default 2DES keys (2 blocks, 16 bytes) are generated.
If you generate keys for CardOS or Gemalto, set the parameter to 3 so 3DES keys (3 blocks, 24 bytes) are generated instead.
This distinction is needed since for Cryptovision, multiple keys are derived, including the challenge/response key from a 2DES key.
For CardOS and Gemalto the challenge/response key is generated directly, and the key needs to be 3DES.
blockCountFieldName-
If given, it points to a field containing the (override) value of blockCount.
If both blockCount and blockCountFieldName are present and the referenced field contains a value, the latter takes precedence.
This is mainly intended for deployments that deal with multiple middlewares which require different blockCount values (for example, CV + CardOS).

The following dependencies must be configured in the Spring configuration:

DependencyDescription
secretRefValueGeneratorResponsible for generating the reference value that is used to keep the reference to the secret value in the secret field store.

secretFieldsArchiver

Responsible for archiving the secrets into the secret field store.

Description

Use this task to generate a value for PIN and PUK according to certain rules (length, allowed characters) and to archive those values for later retrieval during card production or for PIN letter printing.

Configuration

To use this task, configure the following delegate expression in your service task:

${generateAndArchivePinAndPukParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
pinFieldName


The name of the field that shall hold the reference value to the archived PIN.
pukFieldName


The name of the field that shall hold the reference value to the archived PUK.
pinLength-4The desired length of the PIN.
pukLength8The desired length of the PUK.
pinAllowedCharacters0123456789Describes the characters to be used for generating the PIN value.
pukAllowedCharacters-0123456789Describes the characters to be used for generating the PUK value.

Description

Use this task to generate a password or another secret and to archive the value for later retrieval during card production or for PIN letter printing. The secret value is also hashed and stored in a separate field for easier comparison. The hash algorithm is defined in Spring since it must be the same as the one that is used for checking the passwords during login.

Configuration

To use this task, configure the following delegate expression in your service task:

${generateAndArchivePasswordWithMaxLengthAndAllowedCharactersTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
passwordFieldName-
The name of the field that should hold the reference value to the archived password. Must be a reference field.

passwordHashFieldName

-
The name of the field that should hold the hashed value of the password. The hash algorithm is defined in Spring. The data pool field must be of type password
passwordLength

8The desired length of the generated password.
passwordAllowedCharacters

0123456789Describes the characters to be used for generating the password value.

The following dependencies must be configured in Spring:

DependencyDescription
passwordHashGeneratorThe generator that is responsible for generating the hash value of the secret value. This is the place to define the hash algorithm.

secretRefValueGenerator

Responsible for generating the reference value that is used to keep the reference to the secret value in the secret field store.

secretFieldsArchiver

Responsible for archiving the secrets into the secret field store.

Digital Access (Hybrid Access Gateway)


Description

Use this task to provision a user to Smart ID Digital Access component The task consists of two phases:

  • In the first phase the user will be created or updated. This will always be done.

    If you do not set a validFrom field, the user always gets the current date as a valid from value in Digital Access.

  • The second phase is about locking or unlocking the user:
    1. If the current state of the CoreObject matches a state in the lockedStates configuration, the user will be locked.
      • If Smart ID Mobile App (Personal Mobile)is configured, all Smart ID Mobile App profiles that the user has will be deleted.

        Deletion of authentication methods SYNC and OATH are not implemented yet.


    2. If the current state of the CoreObject matches a state in the unlockedStates configuration, the user will be unlocked.
      • If Smart ID Mobile App is configured, the binary array of the barcode image (jpg) will be available in "personalimage". If unlocking of the user failed, the processmap will not contain the barcode.
      • If OATH is configured, the binary array of the barcode image (jpg) will be available in "oathActivationBarcode". If unlocking the user failed, the processmap will not contain the barcode.
      • If SYNC is configured, SYNC will be activated on Digital Access.

Configuration

To use this task, configure the following delegate expression in your service task:

${provisionUserToHagParameterizedTask}

The following parameters can be configured in PRIME Designer:

 ParameterMandatoryValueDescription

coreTemplateName

Example value:

  • Employee
The name of the coreTemplate from which the current coreObject state shall be retrieved.
challengePin-

Example value:

  • 111111 (default)
The default PIN for synchronized authentication of the user in Digital Access.
emailField-

Example value:

  • Employee_Email
The name of the datamap field which contains the email of the user.
hagUrl

Example value:

URL of Digital Access system.
locationDNField-
The datamap field which contains the ldap dn to the desired user. If this is set the user will be connected to LDAP in Digital Access as well.
lockedStates

Example value:

  • "disabled,blacklisted,arrested"
A comma separated list of states from the stategraph of the user which mean "locked" in Digital Access.
unlockedStates

Example value:

  • "active"
A comma separated list of states from the stategraph of the user which mean "unlocked" in Digital Access.
userEnabledPerDefault-

Valid values:

  • true
  • false
If set to "true" the user will automatically be enabled in Digital Access. If not set it is handled as "true".
userNameField

Example value:

  • Employee_LastName
The datamap field which contains the user name that shall be provisioned to Digital Access.
smsNumberField-

Example value:

  • Employee_SmsNumber
The datamap field which contains the phone/sms number of the user.
validFromField-

Example value:

  • Employee_ValidFrom
The datamap field which contains the validFrom information. If it's not set or the value of the field is null the current Date will be used as this is a mandatory parameter in Digital Access.
validToField-

Example value:

  • Employee_ValidTo
The datamap field which contains the validTo information.

authenticationMethods

-

Valid values:

  • Empty string (default)
  • SYNC
  • PM
  • OATH

The authentication methods which will be provided to Digital Access. Allowed are empty string (default), SYNC (= SYNChronized Authentication), PM (= Personal Mobile, that is, Smart ID Mobile App) and OATH (= Open AuTHentication).

Only one authentication method can be selected.

  • If an empty string is configured, a user account will be created without an authentication method.
  • If PM is configured, the barcode Image (jpg) from the Digital Access response will be put to the process map with the fixed key "personalimage". If the creation fails, the field in the process map is not touched.
  • If OATH is configured, the barcode Image (jpg) from the Digital Access response will be put to the process map with the fixed key "oathActivationBarcode". If the creation fails, the field in the process map is not touched.
pmStatus

-

Valid values:

  • Empty string (default)
  • activate

  • deactivate

What status Personal Mobile, that is, Smart ID Mobile App, should get. If an invalid status is configured, the status in PM is not changed.

This parameter is only mandatory if the authentication method is configured as PM. Otherwise it can remain empty.

OATHProvider-

Example values:

  • Empty string (default)
  • Predefined_hotp_HmacSHA1
  • Predefined_hotp_HmacSHA256
  • Predefined_hotp_HmacSHA512
  • Predefined_totp_HmacSHA1
  • Predefined_totp_HmacSHA256
  • Predefined_totp_HmacSHA512

The providers are configured in the Digital Access system. To find out which providers are configured on your Digital Access system, go to Digital Access Admin > Manage System > OATH Configuration > Manage OATH Providers.

For more info, see: Set up OATH tokens in Digital Access.

This parameter is only mandatory if the authentication method is configured as OATH. Otherwise it can remain empty.

Login


Description

Use this task to finalize a process that is going to be used as a post-login process.

Execute the service task at the end of a post-login process in order to mark the post-login process as successfully finished. It will not work without this. Do not use this task outside a post-login process.

Calling this task more than once within a post-login process will result in a failure.

Configuration

There are no parameters to configure.

Description

Use this task to search for a core object and create an AuthenticatedUser which is passed to the datamap with the key "AuthenticatedUser".

Configuration

To use this task, configure the following delegate expression in your service task:

${findAndAuthenticateCoreObjectParameterizedDelegate}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
principalFieldName


The field name of the unique identifier of the CoreObject, for example. "Email"
coreTemplateNames


The CoreTemplate names in which the CoreObject shall be searched for. The search starts with the first name in the list, for example, "Person,Employee,CleanupPerson".

The task can be defined as follows:

Spring configuration
    <bean name="findAndAuthenticateCoreObjectParameterizedAction" class="de.vps.act.action.login.FindAndAuthenticateCoreObjectParameterizedAction">
        <property name="coreObjectSearchManager" ref="coreObjectSearchManager"/>
        <property name="authenticationProvider" ref="userPasswordCoreObjectAuthenticationProvider" />
        <property name="authProfileProvider" ref="authProfileProvider" />
        <property name="dataPoolProvider" ref="dataPoolProvider" />
        <property name="coreTemplateProvider" ref="coreTemplateProvider" />
    </bean>

    <bean id="findAndAuthenticateCoreObjectParameterizedDelegate" class="de.vps.act.processexecution.delegation.TaskParametrizedActionBasedJavaDelegate">
        <property name="taskParameterExtractor" ref="taskParameterExtractor" />
        <property name="action" ref="findAndAuthenticateCoreObjectParameterizedAction" />
    </bean>

PACS


Description

Use this task to assign an entitlement to a person.

The task works on three different core objects:

  • The 'Person'. This is the identity which gets an entitlement assigned.
  • The 'Entitlement'. This is an entity in Identity Manager which represents an entitlement (or 'access profile') at the PACS system.
  • The 'Assignment'. This is an entity that stores properties of the assignment request and attributes returned from the PACS system (like the external id). Usually an 'Assignment' will be stored as Request.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsAssignEntitlementParametrizedTask}

The following parameters can be configured in Identity Manager Admin: 

 ParameterMandatoryDefault valueDescription
pacsName


The name of the PACS system to communicate with.
entitlementAssignmentDataPoolName

falseThe name of the data pool for core objects, that stores the assignment, for example, 'Request'.
entitlementAssignmentExternalIdFieldName


The field name of the above data pool, where the external id of the assignment is stored, for example, 'ExternalId'.

targetEntity


The assignment is done on either a person or an access rule. By providing values such as 'person' or 'PERSON' (all letter are handled as lower case) the assignment is done on the person entity. By providing any other values, the assignment is done on the access rule.

Description

Use this task to create a group membership in Smart ID Physical Access component. Group membership means, assigning an existing person to an existing group.

The task works on three different core objects:

  • The 'Person'. This is the identity which gets a group assigned.
  • The 'Group'. This is an entity in Identity Manager which represents an group at the PACS system.
  • The 'Membership'. This is an entity that stores properties of the membership request and attributes returned from the PACS system (like the external id).

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsCreateGroupMembershipParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatorySample ValueDescription
pacsName


The name of the PACS system to communicate with.

groupMembershipDataPoolName


The name of the data pool for core objects, that stores the group membership, for example, 'Request'.
groupMembershipExternalIdFieldName


The field name of the above data pool, where the external id of the membership is stored, for example, 'ExternalId'.

Description 

Use this task to send a request to PACS to create (if non existent) or to update (if exists) a card.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsCreateOrUpdateCardParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription

pacsName


The name of the PACS system to communicate with.

cardStateFieldName


The card data pool field name where Identity Manager stores the state of the person, for example, 'Meta_CoreObjectState_PcmDpEmployeeCard'.

cardActiveStates


A comma separated list of supported active card states in Identity Manager, for example, 'active,enabled'.
cardType-
Optional. The type of a card. Physical Access component accepts two types: 'mifare' and 'em'.

Description

Use this action to send a request to PACS to create (if non existent) or to update (if exists) a person.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsCreateOrUpdatePersonParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription

pacsName


The name of the PACS system to communicate with.

personStateFieldName


The person data pool field name where Identity Manager stores the state of the person, for example, 'Meta_CoreObjectState_BaseDpEmployee'.

personStates


A comma separated list of supported active person states in Identity Manager, for example, 'active,enabled'.

Description

Use this action to fetch entitlements of a given type or several types from a PACS system. Currently supported: Physical Access component. The fetched entitlements are stored as core objects.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsFetchEntitlementsParametrizedTask}

 The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
coreTemplateName


The name of the core template in which the entitlements shall be stored.
entitlementTypesField-

The name of the data pool for core objects, that store the assignment with the external id, for example, 'Request'.

listOfEntitlementTypes-

The field name of the above data pool, where the external id of the assignment is stored, for example, 'ExternalId'.

coreObjectDescriptorOutputField-

Description

Use this task to send a request to PACS to create (if non existent), update (if exists) and delete (if exists) a group.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsDealWithGroupParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatorySample ValueDescription
pacsName


The name of the core template in which the entitlements shall be stored.
deleteFlag

falseFlag for indicating whether the group should be created/updated (false) or if the group should be deleted (true).

Description

Use this task to send a request to PACS to create (if non existent), update (if exists) and delete (if exists) an access rule.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsDealWithAccessRuleParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatorySample ValueDescription
pacsName


The name of the PACS system to communicate with.
deleteFlag

falseFlag for indicating whether the access rule should be created/updated (false) or if the access rule should be deleted (true).

Description

Use this task to withdraw an entitlement from a person.

  • For Physical Access component there has to be a Request with the entitlement assignment id in the process map.

The task works only on the core object 'Assignment'. This is an entity that stores the external id of the EntitlementAssignment within Physical Access component. Usually a Request is used to hold this information.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsWithdrawEntitlementParametrizedTask}

The following parameters can be configured in Identity Manager Admin: 

 ParameterMandatoryDefault valueDescription
pacsName


The name of the PACS system to communicate with.
entitlementAssignmentDataPoolName


The name of the data pool for core objects, that store the assignment with the external id, for example, 'Request'.
entitlementAssignmentExternalIdFieldName


The field name of the above data pool, where the external id of the assignment is stored, for example, 'ExternalId'.

targetEntity


The withdrawal is done on either a person or an access rule. By providing values such as 'person' or 'PERSON' (all letter are handled as lower case) the withdrawal is done on the person entity. By providing any other values, the withdrawal is done on the access rule.

Description

Use this task to withdraw a group membership in Physical Access component.

Configuration

To use this task, configure the following delegate expression in your service task. There has to be a Request with the group membership id in the process map.

${pacsWithdrawGroupMembershipParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatorySample ValueDescription
pacsName


The name of the PACS system to communicate with.

groupMembershipDataPoolName


The name of the data pool for core objects, that stores the group membership, for example, 'Request'.
groupMembershipExternalIdFieldName


The field name of the above data pool, where the external id of the membership is stored, for example, 'ExternalId'.

Process


Description

Use this task to run a search configuration and trigger an ErrorBoundaryEvent with error code "uniquenessTestFailed" if a uniqueness criteria is not met. The event might cause a different process flow.

Configuration

To use this task, configure the following delegate expression in your service task:

${assertUniquenessParameterizedTask}

 The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription
searchConfigName


Defines the search configuration that should be used to count objects.

During process execution the user must have the permission to execute the search configuration. It is possible to use a search configuration that searches over multiple levels.

minCount-

The minimum number of objects that should be found.

If the search finds less than minCount objects, the action will trigger an ErrorBoundaryEvent with error code "uniquenessTestFailed". Although neither minCount nor maxCount are mandatory, at least one of them must be specified.

maxCount-

The maximum number of objects that should be found.

If the search finds more than maxCount objects, the action will trigger an ErrorBoundaryEvent with error code "uniquenessTestFailed". Although neither minCount nor maxCount are mandatory, at least one of them must be specified.

resultVariableName-

resultCount (used if nothing is specified)

Specifies where the number of found objects will be stored in the data map. 

The value is stored whether the condition is met or not. If no resultVariableName is specified, 'resultCount' is used as a default name.

<Datapool_Field>-

For configuring search fields, add a parameter for each search field. The name of the parameter should be the full name of the datapool field. The value has to contain the filter condition and value, separated by a colon symbol.

For example:

EQUALS:${Person_PersonnelNumber}
GREATER_THAN:${now}
CONTAINS:st

If the underlying data source of the search configuration does not allow to query just the number of result objects, only as less objects as possible are fetched, but enough to find violations of minCount or maxCount. If the number of found objects equals to the upper limit, that was searched for, it is not possible to decide whether there are more objects. In such cases a hint is logged in debug mode:

"The search has been restricted to 2 object(s) for performance reasons, but there might exist more objects".

Description

Use this task to load pack binary data objects into a ZIP file. A CoreObjectDescriptor is needed (loaded in a service task before) to have a list with core objects which contain the binary data fields. Different binaries belonging to one core object can be packed together into one ZIP file (for example photo and signature). Reference-fields can also be added into zip, if they represent a binaryData (like softtoken).

Configuration

To use this task, configure the following delegate expression in your service task:

 ${buildZipFileFromBinariesParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription
resultVariableNameZipFile

Fieldname in the datamap where the builded zipFile is written to.
resultVariableNameZipName-
Fieldname in the datamap where the name of the zipFile is written to.
zipfileName
  
Example value:
  • ${Person_LastName}_${Person_FirstName}_Binaries.zip
How the zipFile shall be named. fileExtension like '.zip' is needed.
coreObjectDescriptorList


coreObjectDescriptor which contains a list of CoreObjects with binaryData
<name of the zipFile-Entry>

 (minimum 1)

<name of binaryField to save into zipFIle>

Example value:

  • ${Person_LastName}_${Person_FirstName}_Photo.jpg
    ← Person_Photo
  • ${Person_LastName}_${Person_FirstName}_Softtoken.p12
    ← Person_Softtoken
  • Additional parameter, added with "+"
  • Combination zipEntryName ← BinaryFieldName

Description

Use this task to copy information about the currently logged in user to the process data map. Since the parameters are optional, only those parameters where a value is provided are copied to the process data map.

Configuration

To use this task, configure the following delegate expression in your service task:

${copyValuesOfLoggedInUserToProcessMapParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

userNameOutputField

-

userinfoUsername

The output field of the datamap which will contain the user name.

userFullNameOutputField

-

userinfoUserFullName

The output field of the datamap which will contain the user's full name.

userIdOutputField

-

userinfoUserid

The output field of the datamap which will contain the user id.

userIpAdressOutputField

-

userinfoIpAddress

The output field of the datamap which will contain the user's IP address.

userAuthProfileTypeOutputField

-

userinfoAuthprofileType

The output field of the datamap which will contain the users AuthProfileType (Enum is passed).

userExplorerInstanceIdOutputField

-

userinfoExplorerInstanceId

The output field of the datamap which will contain the user's explorer instance id if logged in through explorer.

userUsspInstanceIdOutputField

-

userinfoUsspInstanceId

The output field of the datamap which will contain the user's Smart ID Self-Service instance ID if logged in through Smart ID Self-Service.
userRolesOutputField-userinfoUserRoles

The output field of the datamap which will contain the user's assigned roles as a list. This is not meant to be used for the GUI and may result in issues. Use this, for example, in gateways like this:

${userinfoUserRoles.contains("Administrator") == true}
userSamlTokenIDOutputField-userinfoSamlTokenIDThe output field of the datamap which will contain the user's SAML Token ID.
userSamlIssueInstantOutputField-userinfoSamlIssueInstantThe output field of the datamap which will contain the user's SAML IssueInstant.
userLocaleOutputField-userinfoLocaleThe output field of the datamap which will contain the user's selected Locale.

Description

Use this task to delete a secret field from secret field store and clear the reference to it.

Configuration

To use this task, configure the following delegate expression in your service task:

${deleteSecretField}

 The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryDefault valueDescription
referenceField


The field to be deleted in secret field store.

Description

Use this task to execute a script and put the result variables to the process map.

Configuration

To use this task, configure the following delegate expression in your service task: 

${executeScriptTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

scriptName


The name of the script.

Description

Use this task to run a search configuration and put the result to the map as core object descriptor list or as the complete object.

The search must be based on a CoreTemplate (and not Datapool).

If the number of search results is equal to or more than maxCount this is logged in the Tomcat log file.

Configuration

To use this task, configure the following delegate expression in your service task:

${executeSearchParameterizedTask}

 The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription
searchConfigName

-


Defines the search configuration that should be used to count objects.

During process execution the user must have the permission to execute the search configuration. It is possible to use a search configuration that searches over multiple levels.

maxCount


The maximum number of objects that should be found.
resultVariableName-
  • CoreObjectDescriptorList

Specifies the name of a variable of the data map, where the CoreObjectDescriptorList of the found objects is stored.

copyValuesOfFirstResult-

Valid values:

  • true
  • false (default)
This parameter decides whether the first found object is put completely to the map (true) or if the CoreObjectDescriptorList is put to the map (false). If set to true, resultVariableName will be ignored. maxCount will be ignored too and set to 1.
<Datapool_Field>-

<CONDITION>:<value>

Examples:

  • EQUALS:true
  • STARTS_WITH:${processVariable}

Valid CONDITIONS:

  • EQUALS
  • NOT_EQUALS
  • GREATER_THAN
  • GREATER_EQUALS
  • LESS_THAN
  • LESS_EQUALS
  • STARTS_WITH
  • ENDS_WITH
  • CONTAINS
  • SOUNDEX
  • EMPTY
  • NOT_EMPTY
  • Allowed multiple times, for each search field of the search config. Filter condition and value shall be separated by a colon symbol, like this, <CONDITION>:<value>.

    • Drag&drop a datapool-field into the Service Task definition, to create a filter, for example, OrderNumber, see (1) in the screenshot.
    • To make it work, you must add the datapool field name as a prefix, for example, SclmDpOrder_OrderNumbersee (2) in the screenshot.

      Every filter that is added as <Datapool_Field> MUST exist in the used SearchConfig, otherwise it will not be added when the search task is executed.

    • For the value, a condition is needed, in the screenshot "EQUALS".


Also the conjunctions AND and OR can be used. For example:
EQUALS:Active _OR_ temporary.inactive

This action works only in context with batch orders.

Description

Use this task to find the next possible/valid states to a given core object state. If the multiple selected core objects (in a batch order) do have different states (for example active, inactive), an ErrorBoundaryEvent will be triggered.

 Configuration

To use this task, configure the following delegate expression in your service task:

${findNextPossibleStates}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryDefault valueDescription

dataPoolName


The datapool name of the underlying batch order.
resturnField


The name of the variable containing all the possible states (which were found).

The task can be defined as follows:

Spring configuration
<bean id="findNextPossibleStatesAction" class="de.vps.act.processexecution.state.FindNextPossibleStatesAction">
   <property name="coreTemplateProvider" ref="coreTemplateProvider"/>
   <property name="stateGraphDefinitionManager" ref="stateGraphDefinitionManager"/>
   <property name="coreObjectDAO" ref="coreObjectDAO"/>
</bean>

<bean id="findNextPossibleStates" parent="parameterizedTask">
   <property name="action" ref="findNextPossibleStatesAction" />
</bean>

Description

Use this task to load an entity into the process map.

Given a datapool, a field, the field's value and optionally a core template, the matching entity will be loaded. If more than one entity matches, no entities will be added to the process map. A process variable loadEntityResultCount will hold the number of the found entities. Any value other than 1 can be considered an error.

Configuration

To use this task, configure the following delegate expression in your service task:

${loadEntityParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatorySample ValueDescription
EntityDataPool

PersonThe name of the entity's datapool.
EntityAttribute

EmailThe attribute of the entity that must match a certain value.
EntityAttributeValue

${Person_Email} or ${user.Person_Email}The value that EntityAttribute must match. Most of the time, an expression will be used here. Also special expressions like ${user.*} are possible, to use values from the authenticated User or from system.properties (${sysprop.*}
EntityCoreObject



The core template of the entity. This limits the search to objects of this core template.

EntityCoreObjectIdField


coreObjectIdThe field in which the CoreObjectId is added in the process map.

EntityCoreObjectDescField


coreObjectDescriptorThe field in which the CoreObjectDescriptor is added in the process map.

EntityRolesField


rolesThe field in which the roles of the object is added in the process map.

ExclusiveLoadFields


FirstName,LastName,EmailIf not the complete dataset should be loaded, only the ones defined here are loaded/added in the process map.

TargetPrefix


Manager_

If the found objects fields should be added to the process map with a special prefix. It replaces the <Datapool_>, which is otherwise at this position. With this function, conflicting entries can be avoided.

Example: Instead of "Person_Email" the data map will get an additional entry: "Manager_Email".

Description 

This task expects a certificate in the process map and loads an entity from the DB, based on a value of the certificate. You configure what kind of entity (Person, Server etc) and which certificate field should match which field of the entity. A case insensitive search is performed. If exactly one entity is found, it will be added to the process map. If more that one entity is found, no entities will be added to the process map. A process variable loadCertificateMatchingEntityResultCount will hold the number of the found entities. Any value other than 1 can be considered an error.

This task can be used to establish an objectRelation between the certificate and an entity.

Configuration

To use this task, configure the following delegate expression in your service task:

${loadCertificateMatchingEntityParameterizedTask}

 The following parameters can be configured in Identity Manager Admin: 

Values are case sensitive.


ParameterMandatoryDefault ValueDescription

certificateDataPoolName

CertificateThe name of the certificate's datapool.

certificateDataFieldName

DataThe name of the field of the certificate's datapool that holds the binary certificate.
certificateAttribute

SAN_UPNThe field of the certificate whose value must match the entity. SAN values are prefixed with "SAN_". Possible values: any one of de.nexus.pkiutils.certificate.DNs or any one of de.nexus.pkiutils.certificate.SANs. Currently that allows the following possibilities: DN_C, DN_CN, DN_DNQ, DN_E, DN_L, DN_O, DN_OU, DN_SN, DN_ST, DN_UID, DN_STREET, DN_INITIALS, DN_POSTAL_ADDRESS, DN_POSTAL_CODE, DN_TELEPHONE_NUMBER, DN_TITLE, DN_SURNAME, DN_GIVENNAME, SAN_EMAIL, SAN_UPN, SAN_DNS, SAN_IP, SAN_URI, SAN_GUID, SAN_RID.
entityDataPoolName

PersonThe datapool of the entity to loadCertificateMatchingEntityParameterizedTask
entityDataPoolFieldName

EmailThe name of the field of the entity's datapool that must match the certificate's field value.
entityCoreTemplateName-PersonThe core template of the entity. This limits the search to objects of this core template.

Description

Use this task to load one or more values of SystemProperties, which are configured in the Admin tab in Identity Manager, into fields of the process map.

Configuration

To use this task, configure the following delegate expression in your service task:

${loadSystemPropertyIntoProcessmapParametrizedTask}

 The following parameters can be configured in Identity Manager Admin, they can be added with the '+'-button, each row sets one system property into the target field:

ParameterMandatoryValueDescription

targetFieldName

Name of systemProperty to load

Combination of target field and system property.

A system property is defined of <contextid>.<propertyName>.

Description

Use this task to log something in the logfile. The results will not be visible to an end user.

Configuration

To use this task, configure the following delegate expression in your service task:

${loggingParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription

loggerName

Any String, but typically a java package optionally followed by a class name.

Examples:

  • MyLogger
  • de.nexus
  • de.nexus.MyClass
In the log4j configuration, defined loggers have a name, typically a package name or a class, however any String is valid. This attribute specifies to which logger this task will write. You can use this to route the log message to a file, the console or any other appender.

loglevel

Valid values:

  • TRACE
  • DEBUG
  • INFO
  • WARN
  • ERROR
Use this to describe the severity of the log entry. It will appear in the logfile. Loggers and/or appenders typically ignore entries under a configurable threshold.

message

Any String or JUEL expression.

Examples:

  • This is a message
  • ${Person_Name} just executed this task
  • ${Person_Name.toUpperCase()} just executed this task
The message that will be logged. You can use Expression Language and methods from the String API. Expressions will be evaluated against the process map.

ignoreKeyNotFound

Valid values:

  • true
  • false

If this is set to true, expressions from the message that can't be resolved to a key in the process map will be ignored. If it is set to false, an exception will be thrown.

Description

Use this task to remove an entity from the process map. Given a name of a datapool, all fields from the datamap will be removed. If the given name does not match a datapool, no fields will be removed.

Configuration

To use this task, configure the following delegate expression in your service task:

${removeEntityFromDatamapParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryDefault valueDescription
EntityDatapoolName


The name of the entity's datapool.

Description

Use this task to remove a variable from the data map of the process.

Configuration

To use this task, configure the following delegate expression in your service task:

${variableRemovingParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryDefault valueDescription
variableName


The name of the variable, which should be removed from the process map

Description

Use this task to compare two secret fields. If they are equal, the service task will return true, otherwise, false. The comparator is case sensitive, so only exact matches will return true. Note that blank values are not considered valid.

Passing secret fields directly into the data map is a security issue, so the service task will only expect UIDs of valid, already stored, secret fields.

Configuration

To use this task, configure the following delegate expression in your service task:

${compareSecretsParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

firstSecretFieldName

String value

UID of the first secret field

secondSecretFieldName

String value

UID of the second secret field

resultFieldName

String value

Default value: secretsAreEqual

The name of the variable in the processMap that will contain the result of the comparison.

Description

Use this task to set a variable to a desired value, including an empty string or null.

Configuration

To use this task, configure the following delegate expression in your service task:

${setValueOfVariableInProcessMapParameterizedTask}

The following parameters can be configured in PRIME Designer:

 ParameterMandatoryDefault valueDescription
variableName


The name of the variable whose value should change in the process map
variableValue-
The new value for the variable. It may contain JUEL expressions like ${Person_FirstName}.
setToNull-
If set to true, the variable's value will be set to null.
setToEmptyString-
If set to true, the variable's value will be set to an empty string.

Be sure to configure exactly only one of variableValue, setToNull and setToEmptyString. Otherwise an Exception is thrown.

JUEL expressions

Unresolvable JUEL expressions in variableValue are ignored by default.

If you want an exception to be thrown instead, add the following bean definitions to your custom-beans.xml:

 <bean id="keyNotFoundThrowingSpelResolver" class="de.vps.act.juel.SpelExpressionResolver">
        <constructor-arg name="expressionPrefix" value="${" />
        <constructor-arg name="expressionSuffix" value="}" />
        <constructor-arg name="keyNotFoundSafe" value="false" />
    </bean>

    <bean id="setValueOfVariableInProcessMapParameterizedAction"
          class="de.vps.act.action.datamap.modification.SetValueOfVariableInProcessMapParameterizedAction">
        <property name="juelExpressionResolver" ref="keyNotFoundThrowingSpelResolver" />
    </bean>

Description

Use this task to execute a searchConfig and search in a list of X509-certificates for the newest Encryption Certificate.

If one is found it is saved in the database (if it`s not existing already under the configured core template name) and loaded into the processMap as CoreObjectDescriptor.
If the certificate is found in the database but under a different core template name, a second entry will be saved under the configured core template name.

This task is useful, for example, when a field of a LDAP-datapool contains a (multi-value binary) list of certificates.

Configuration

To use this task, configure the following delegate expression in your service task:

${searchNewestEncCertParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription

searchConfigName

Select in drop-down listThe searchConfig, which is executed to search the list of X509-Certificates

encCertResultCoreTemplate

Select in drop-down list

The name of a CoreTemplate to store the found encryptionCertificate in the Database, if it does not already exist with this CoreTemplate name.

Note: The name must be based on CertificateDAO-dataPool

Note: If the certificate already exists with a different CoreTemplate name, a second entry will be saved with the encCertResultCoreTemplate. It is recommended to use these additional entries only temporarily and remove them after use.

encCertResultDescriptorName

String valueThe name of the variable in the processMap where the found encryptionCert is put as CoreObjectDescriptor

X509ListFieldInSearchResult

String value

The field in the result of the searchConfig with the list of certificates.

Note: This field should be a multi-value binary field in the datapool (LDAP-datapool)

<Datapool_Field>-

Additional Filter-Field for the searchConfig, added with '+'-Button

See description in Process: Execute Search Task.

Description

Use this task to validate a value in the process data map against a regular expression. The result is saved as true/false in the process data map.

Configuration

To use this task, configure the following delegate expression in your service task:

${validateFieldWithRegexParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription
variableName

Example value:

  • Text string, free of choice

Field in the process data map whose value (or list of values) is checked with the regular expression.

resultVariableName

Example value:

  • Text string, free of choice, example: "ProcessVarCNRegexResult"

Field in the process data map where the result of the validation is saved as Boolean ("true" when regex matches, "false" if not).

regex

Example value:

  • See examples in drop down list
  • Can also be edited free
The regular expression, which the field value must match.
variableMustExist-

Valid values (Boolean):

  • true
  • false (default at design time)
If true, validation fails if map has no entry for the variable described in variableName.
delimiter-

Example values:

  • "," (colon)
  • ";" (semi colon)

Can be defined if the value in variableName contains a list which is separated with a delimiter. For example: "value1; value2; value3"

If delimiter is defined, the value is treated as a list of multiple values, and every value is validated.

trim-

Valid values (Boolean):

  • true
  • false (default at design time)

If true, any whitespace before and after the value in variableName is removed before validation.

Example:

  • if " value " then "value" is validated. Every value in a list is trimmed, if delimiter is defined.
caseSensitive-

Valid values (Boolean):

  • true (default at design time)
  • false

If true, the validation does differentiate between lowercase and uppercase characters.

Smart ID Messaging


Description

Use this task to provision a new profile or update an existing one, overwriting existing keys. The task will create the keys needed for the "Mobile App: Install certificates" task.

The task will generate the following PKCS#10 request templates:

  • Signature Certificate (optional)
  • Authentication Certificate (optional)
  • Device Encryption (used to secure the communication with Smart ID Mobile App)

These requests will then be sent to the mobile phone and transformed into new PKCS#10 requests (with keypairs generated on the client but keeping all subject data). The new requests userid will then be sent to the message catching intermediate event identified by the parameter 'messageName'. Identity Manager will put these PKCS#10 requests into the process map under the keys "SIG_P10_VAR", "AUTH_P10_VAR" and "DEVICE_ENC_P10_VAR". If a new profile was created, Identity Manager will also put the new profileId into the process map under the key "profileId". In order to save the profile id you will need to copy it into a data pool field.

After this task is executed, you need to request certificates using the requests stored in the process variables "SIG_P10_VAR" and "AUTH_P10_VAR" before proceeding to the "Mobile App: Install certificates" task. Store the requested certificates into the process map.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodKeyCreationTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer

Example value:

  • MessagingServer
The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

Example value:

  • p10PreparationCallback
The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

Example value:

  • ${Person_Email}

ID representing the user on the messaging server. This will be displayed in the profile on the mobile app to verify the correct data is provided.

A common approach is to use the user's email address.

errorMessageField

Example value:

  • ErrorMessage
Process variable to put the error message in case of failure.
errorTypeField

Example value: 

  • ErrorType
Process variable to put the error type in case of failure.
signCertificateTemplate-
Signature certificate template.
authCertificateTemplate-
Authentication certificate template.
profileName

If new profile

Leave empty (when updating a profile)

Profile name for Smart ID Messaging. Will be displayed in the Smart ID Mobile App. Leave empty if you want to update an existing profile.
serverName

If new profile

Example value: 

  • Smart ID
Name of the server that issued the provisioning request. This is for the user to understand where the profile comes from. 
qrResultField

If new profile

Example value:

  • QR_CODE_VAR
Process variable to put the resulting url. This url may be converted to a QR-Code for the Smart ID Mobile App by using GenerateQRCodeParametrizedAction.
profileIdIf update profile

Leave empty (for new profile)

Id of the Smart ID Mobile App profile that will be updated with new keys. Leave empty if you want to provision a new profile.

storagePriority

Valid values:

  • APP (for Smart ID Mobile App, default)
  • EXT (for Mobile Iron device)
  • MDM (replaced by EXT, but still supported)
Storage priority of certificates. MDM is replaced by EXT, however MDM is still supported.

Description 

This task requests and installs certificates that were prepared using the "Mobile App: Create Key" task.

As a prerequisite

  • you must already have requested certificates with the authentication and signature certification requests generated by the "Mobile App: Create Key" task and stored them as process variables.
  • if you want to perform certificate recovery, you must prepare the data for that using 'Cert: Load Key History List'.

Use this task to install a number of certificates on the mobile phone:

  • Signature Certificate, will be bound to the key pair created by "Mobile App: Create Key".
  • Authentication Certificate, will be bound to the key pair created by "Mobile App: Create Key".
  • Device Encryption Certificate, will be bound to the key pair created by "Mobile App: Create Key".
  • Encryption Certificate created with key archival.
  • Any number of recovered certificates.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodInstallCertificatesTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

p10FinishedCallbackThe name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

${Person_Email}ID representing the user on the messaging server. This must match the userid provided when the profile was requested.
errorMessageField

ErrorMessage

Process variable to put the error message in case of failure.
errorTypeField

ErrorType

Process variable to put the error type in case of failure.
signatureCertificate-

${SIG_VAR}

The signature certificate.
authenticationCertificate-

${AUTH_VAR}

The authentication certificate.
deviceEncryptionP10

${DEVICE_ENC_P10_VAR}

The PKCS#10 request for the Device Encryption Certificate, created by the "Mobile App: Create Key" task.
profileId

${profileId}

The id of the profile under which to store the certificates. This is initially provided by the "Mobile App: Create Key" task.
encryptionCertificate-
Encryption certificate template.
recoveryCertificate-
Recovery certificate template.
processVariable-Certificate_CoreObjectsVariable name which holds Core object ids list or Core object descriptor list of certificates to be recovered.
p12PasswordField

profilePasswordReference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords.
storagePriority

Valid values:

  • APP (for Smart ID Mobile App, default)
  • EXT (for Mobile Iron device)
  • MDM (replaced by EXT, but still supported)
Storage priority of encryption certificates. MDM is replaced by EXT, however MDM is still supported.

Description

Use this task to create up to three template PKCS#10 requests that can be used to request certificates needed for the "Desktop App: Install Certificates on Virtual Smart Card" task.

Use this task to create up to three template PKCS#10 requests:

  • Signature Certificate (if template name is provided)
  • Authentication Certificate (if template name is provided)
  • Device Encryption (always, used to secure the communication with Smart ID Desktop App)

These requests will then be sent to Smart ID Desktop App and transformed into new PKCS#10 requests (with keypairs generated on the client but keeping all subject data). The new requests will then be sent to the message catching intermediate event identified by the parameter 'messageName'. Identity Manager will put these PKCS#10 requests into the process map under the keys "SIG_P10_VAR" and "AUTH_P10_VAR". Identity Manager will also put the new profile id into the process map under the key "profileId". In order to save the profile id you will need to copy it into a data pool field.

This task can only provision a new profile - updating an existing profile is currently only supported in Smart ID Mobile App at this time, not in Smart ID Desktop App.

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodKeyCreationTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
messagingServer

Example value:

  • MessagingServer
The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

Example value:

  • p10PreparationCallback
The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

Example value:

  • ${Person_Email}

ID representing the user on the messaging server. This will be displayed in the profile(-list) on the desktop app to verify the correct data is provided.

A common approach is to use the user's email address.

errorMesageField

Example value: 

  • ErrorMessage
Process variable to put the error message in case of failure.
errorTypeField

Example value: 

  • ErrorType
Process variable to put the error type in case of failure.
signCertificateTemplate-

Example value:

  • Sign-Certificate
Certificate template of the signature certificate.
authCertificateTemplate-

Example value:

  • Authentication-Certificate
Certificate template of the authentication certificate.
profileName

Example value:

  • VSC 1
Profile name for Smart ID Messaging. Will be displayed in Smart ID Desktop App as the heading of the profile.
serverName

Example value:

  • Smart ID

Name of the server that issued the provisioning request. This is for the user to understand where the profile comes from.

plugoutResultField

Example value: 

  • plugoutUri
Process variable to put the resulting Smart ID Plugout URI that will open Smart ID Desktop App on the client machine.
adminKey

Example value: 

  • ${Card_CardManagerKey}

The secret field reference of 24-byte 3DES admin key in HEX format. The key can also be set directly as plain hex value for testing.

Note: Smart ID Desktop App.s own default is 123456781234567812345678123456781234567812345678, but you must make sure Identity Manager always defines the value!

smartCardId

Example Value: 

  • ${Card_VscId}
Virtual smart card id. Usually it will be created via a dedicated number-range.
provisionReader


Valid values:

  • CreateTPM
  • FreeTPM
  • RenewTPM 
  • 0TPM/1TPM..../15TPM
  • CreateTPM (create a new VSC on the TPM) 
  • FreeTPM (use first free VSC on the TPM) .
  • RenewTPM Use this option to renew existing TPM certificates.
  • 0TPM / 1TPM / ... / 15TPM  Specific VSC on the TPM can be also used for installing certificates.

The value is passed as-is to Smart ID Desktop App.

pinMinLength

Example value:

  • 6
Min. length of the VSC PIN (Windows API allows 4-127 characters,
see https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardpinpolicy.minlength)
pinMaxLength

Example value:

  • 15
Max length of the VSC PIN (Windows API allows 4-127 characters,
see https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardpinpolicy.maxlength)
pinUppercase

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether uppercase chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinLowercase

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether lowercase chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinDigits

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether digits in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinSpecialChars

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether special chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
hybridProfile-

Valid values:

  • FALSE (default)
  • TRUE

oldAdminKey-

-

This field only makes sense in case the "FreeTPM" provisionReader is configured. If provided, it will change the VSC's admin key. "oldAdminkey" must hold the old admin key and "adminKey" must hold the new admin key.

For example, default admin key of 010203040506070801020304050607080102030405060708 when you create VSC from Tpmvscmgr tool.

storagePriority

Valid values (version-dependent, Smart ID Desktop App or Smart ID Messaging update may be required for some):

  • VSC (TPM-based virtual smart card, default)
  • TPM (direct TPM storage, depending on the version of Smart ID Desktop App, it might have same meaning as VSC)
  • YUBI (Yubico YubiKey 5 PIV Token, since Identity Manager 3.12.5)
  • OS (operating system certificate store)

Storage priority - defines where certificates and keys are stored. Usually just a single value.
If hybridProfile is TRUE, then this may be a comma-separated list.

Example:

VSC, OS would mean: try to write to a virtual smart card first, and if that fails, use the OS certificate store instead.

desktopKeyProtectionLevel

Valid values:

  • NONE (default)
  • CONSENT
  • PASSWORD
  • BIOMETRICS

Specifies the key protection level at OS key store. It is only used in case of OS storage priority. 

  • NONE - No strong key protection.
  • CONSENT - The user is notified through a dialog box when the private key is created or used.
  • PASSWORD - The user is prompted to enter a password for the key when the key is created or used.
  • BIOMETRICS - The user is prompted to enter a fingerprint verification for the key when the key is created or used.

Description

This task requests and installs certificates that were prepared using the "Desktop App: Create Virtual Smart Card Key" task.

As a prerequisite

  • you must already have requested certificates with the authentication and signature certification requests generated by the "Desktop App: Create Virtual Smart Card Key" task. Store the certificates as process variables.
  • if you want to perform certificate recovery, you must prepare the data for that using 'Cert: Load Key History List'.

Use this task to install a number of certificates on a profile maintained by the Smart ID Desktop App:

  • Signature Certificate, will be bound to the key pair created by 'Desktop App: Create Virtual Smart Card Key'.
  • Authentication Certificate, will be bound to the key pair created by 'Desktop App: Create Virtual Smart Card Key'.
  • Device Encryption Certificate, will be bound to the key pair created by 'Desktop App: Create Virtual Smart Card Key'.
  • Encryption Certificate created with key archival.
  • Any number of recovered certificates.

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodInstallCertificatesTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

p10FinishedCallbackThe name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

${Person_Email}ID representing the user on the messaging server. This must match the userid provided when the profile was requested.
errorMessageField

ErrorMessage

Process variable to put the error message in case of failure.
errorTypeField

ErrorType

Process variable to put the error type in case of failure.
signatureCertificate

${SIG_VAR}

The signature certificate.
authenticationCertificate

${AUTH_VAR}

The authentication certificate.
deviceEncryptionP10

${DEVICE_ENC_P10_VAR}

The PKCS#10 request for the Device Encryption Certificate, created by the "Desktop App: Create Virtual Smart Card Key" task.
profileId

${profileId}

The id of the profile under which to store the certificates. This is initially provided by the 'Desktop App: Create Virtual Smart Card Key' task.
encryptionCertificate

Encryption certificate template.
recoveryCertificate

Recovery certificate template.
processVariable
Certificate_CoreObjectsVariable name which holds Core object ids list or Core object descriptor list of certificates to be recovered.
p12PasswordField

p12passwordReference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords.
smartCardId

${Card_VscId}

Virtual smart card id. Usually it will be created via a dedicated number-range.
storagePriority

Valid values (version-dependent, Smart ID Desktop App or Smart ID Messaging update may be required for some):

  • VSC (TPM-based virtual smart card, default)
  • TPM (direct TPM storage, depending on the version of Smart ID Desktop App, it might have same meaning as VSC)
  • YUBI (Yubico YubiKey 5 PIV Token, since Identity Manager 3.12.5)
  • OS (operating system certificate store)

Storage priority - defines where certificates and keys are stored. Usually just a single value.

If the profile was created with hybridProfile set to TRUE (see 'Desktop App: Create Virtual Smart Card Key'), then this may be a comma-separated list.

Example:

VSC, OS would mean: try to write to a virtual smart card first, and if that fails, use the OS certificate store instead.

desktopKeyProtectionLevel

Valid values:

  • NONE (default)
  • CONSENT
  • PASSWORD
  • BIOMETRICS

Specifies the key protection level at OS key store. It is only used in case of OS storage priority. 

  • NONE - No strong key protection.
  • CONSENT - The user is notified through a dialog box when the private key is created or used.
  • PASSWORD - The user is prompted to enter a password for the key when the key is created or used.
  • BIOMETRICS - The user is prompted to enter a fingerprint verification for the key when the key is created or used.

Description

Use this task to delete a virtual smart card profile managed by Smart ID Desktop App on a TPM and also to delete all Smart ID Messaging mailboxes for a specific user id.

This task can be used in the following ways:

Delete Virtual Smart card profile on Smart ID Desktop App and Smart ID Messaging

To do this, specify a specific profile id and set the confirmation flag to true. All other parameters must be provided as well.

This task can be executed on a smart card profile which contains information about smart card id, profile id and card manager key (admin key).

The request will be sent to Smart ID Desktop App, which will delete the profile identified by the specified profile id and smart card id. Smart ID Desktop App will also change the card's admin key to the new value provided. The result will be sent to the message catching intermediate event identified by the parameter 'messageName'. After receiving a successful response from Smart ID Desktop App, Smart ID Messaging also deletes the mailbox and forwards the same response back to Identity Manager.

Delete mailbox on Smart ID Messaging only

To do this, set the confirmation flag to false. Smart card id and keys can be omitted.

Smart ID Messaging will delete either a specific mailbox when a profile id is provided or all mailboxes of the specified user id when the profile id is absent. The profiles themselves within Smart ID Desktop App will be retained, as the deletion request will not be forwarded to Smart ID Desktop App.

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodDeleteProfileTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
messageName

deleteSmartCardCallbackThe name of the intermediate message catching event that will be triggered by Smart ID Messaging.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId

when confirmation flag is true

${Card_ProfileId}

Id of the profile to be deleted, as created via 'Desktop App: Create Virtual Smart Card Key'.

smartCardId

when profileId provided and confirmation flag is true

${Card_VscId}Id of the virtual smart card, as created via 'Desktop App: Create Virtual Smart Card Key'.
plugoutUrl

when profileId provided and confirmation flag is true

plugoutUrl

Process variable to put the resulting Smart ID Plugout URI that will open Smart ID Desktop App on the client machine.

userid

${Person_Email}

ID representing the user on the messaging server. This must match the userid provided when the profile was requested.
adminKey

when profileId provided and confirmation flag is true


The secret field reference of the new 24-byte 3DES admin key to be set, in HEX format. The key can also be set directly as plain hex value for testing.

oldAdminKey

when profileId provided and confirmation flag is true

${Card_CardManagerKey}

The secret field reference of the 24-byte 3DES current admin key, in HEX format. The key can also be set directly as plain hex value for testing.

confirmation

true

Messaging Server will forward the delete profile request to Smart ID Desktop App when this set to true.

Description

Use this task to create a template PKCS#10 request that can be used to request the certificate needed for the "Desktop App: Install Certificates On Windows Cert Store" task:

  • Device Encryption (used to secure the communication with Smart ID Desktop App)

Identity Manager will also put the new profileId into the process map under the key "profileId". In order to save the profile id you will need to copy it into a data pool field.

This task can only provision a new profile - updating an existing profile is currently only supported in Smart ID Mobile App at this time, not in Smart ID Desktop App.

Configuration

To use this task, configure the following delegate expression in your service task:

${pxOsHermodKeyCreationTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
messagingServer

Example value:

  • MessagingServer
The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

Example value:

  • p10PreparationCallback
The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

Example value:

  • ${Person_Email}

ID representing the user on the messaging server. This will be displayed in the profile(-list) on the desktop app to verify the correct data is provided.

A common approach is to use the user's email address.

errorMesageField

Example value: 

  • ErrorMessage
Process variable to put the error message in case of failure.
errorTypeField

Example value: 

  • ErrorType
Process variable to put the error type in case of failure.
profileName

Example value:

  • Windows Certs
Profile name for Smart ID Messaging. Will be displayed in Smart ID Desktop App as heading of the profile.
serverName

Example value:

  • Smart ID

Name of the server that issued the provisioning request. Will be displayed in Smart ID Desktop App so the user can understand where this profile comes from. 

plugoutResultField

Example value: 

  • plugoutUri
Process variable to put the resulting Smart ID Plugout URI that will open Smart ID Desktop App on the client machine.
desktopKeyProtectionLevel

Valid values:

  • NONE (default)
  • CONSENT
  • PASSWORD
  • BIOMETRICS

Specifies the key protection level at OS key store. It is only used in case of OS storage priority. 

  • NONE - No strong key protection.
  • CONSENT - The user is notified through a dialog box when the private key is created or used.
  • PASSWORD - The user is prompted to enter a password for the key when the key is created or used.
  • BIOMETRICS - The user is prompted to enter a fingerprint verification for the key when the key is created or used.

Description

Use this task to request and install certificates that were prepared using the "Desktop App: Create Windows Cert Store Key" task.

As a prerequisite

  • you must already have requested certificates with the authentication and signature certification requests generated by the "Desktop App: Create Virtual Smart Card Key" task. Store the certificates as process variables.
  • if you want to perform certificate recovery, you must prepare the data for that using 'Cert: Load Key History List'.

Use this task to install a number of certificates on the Windows Certificate store:

  • Device Encryption Certificate, will be bound to the key pair created by 'Desktop App: Create Windows Cert Store Key' task.
  • Softtoken certificate created with key archival.
  • Any number of recovered certificates.

Configuration

To use this task, configure the following delegate expression in your service task:

${pxOsHermodInstallCertificatesTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

p10FinishedCallback

The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

${Person_Email}

ID representing the user on the messaging server. This must match the userid provided when the profile was requested.
errorMessageField

ErrorMessage

Process variable to put the error message in case of failure.
errorTypeField

ErrorType

Process variable to put the error type in case of failure.
deviceEncryptionP10

${DEVICE_ENC_P10_VAR}

The PKCS#10 request for the Device Encryption Certificate, created by the "Desktop App: Create Virtual Smart Card Key" task.
profileId

${profileId}

The id of the profile under which to store the certificates. This is initially provided by the 'Desktop App: Create Virtual Smart Card Key' task.
softttokenCertificate

Softtoken certificate template.
recoveryCertificate

Recovery certificate template.
processVariable
Certificate_CoreObjectsVariable name which holds Core object ids list or Core object descriptor list of certificates to be recovered.
p12PasswordField

p12PasswordReference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords.
desktopKeyProtectionLevel

Valid values:

  • NONE (default)
  • CONSENT
  • PASSWORD
  • BIOMETRICS

Specifies the key protection level at OS key store. It is only used in case of OS storage priority. 

  • NONE - No strong key protection.
  • CONSENT - The user is notified through a dialog box when the private key is created or used.
  • PASSWORD - The user is prompted to enter a password for the key when the key is created or used.
  • BIOMETRICS - The user is prompted to enter a fingerprint verification for the key when the key is created or used.

Description

Use this task to start a connection to Smart ID Messaging. With this connection, scripts can be executed. Finally, the connection needs to be closed.

Once the connection is established you receive a boxId and a plugoutUrl which can be used to start Smart ID Desktop App and connect it to the corresponding box on Smart ID Messaging.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodStartConnectionParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
boxId


Process variable to put the boxId.
plugoutUrl


Process variable to put the plugout url.
messageToUser

An optional message to the user which will be displayed in Smart ID Desktop App.
messageName

The name of the intermediate message catching event that will be triggered by Smart ID Messaging.

Description

Use this service task to execute a script in Smart ID Desktop App. The script needs to be passed as a JSON array (for example: [{"type":"APDU", "data":"00A4040000", "response":".*(9000)"}]

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodExecuteScriptParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
boxId


Process variable to put the boxId.
scriptCommands


Process variable containing the script commands. The commands need to be formatted as a JSON array (for example: [{"type":"APDU", "data":"00A4040000", "response":".*(9000)"}])
messageToUser

An optional message to the user which will be displayed in Smart ID  Desktop App.
messageName


The name of the intermediate message catching event that will be triggered by Smart ID Messaging.

Description

Use this service task to close a scripting connection to Smart ID Messaging.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodEndConnectionParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
boxId


Process variable to put the boxId.
messageToUser

An optional message to the user which will be displayed in Smart ID Desktop App.
messageName


The name of the intermediate message catching event that will be triggered by Smart ID Messaging.

Description

Use this task to encrypt the pin or card manager key that is sent during a pin operation. The corresponding app while provide this one time key in the callback message when the operation is requested.

Configuration

To use this task, configure the following delegate expression in your service task:

${jweEncryptTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault ValueDescription
jweAlgorithm

${transportKeyType}The value as provided by the corresponding app via a callback message. In most cases the default value should be used. RSA-OAEP, RSA-OAEP-256, and RSA1-5 are supported. 
key

${transportKey}The value as provided by the corresponding app via a callback message. In most cases the default value should be used. Supports only X509 encoded RSA key in byte array.
sourceData

${Card_CardManagerKey}The secret to be encrypted. 
targetField

${encryptedSecret}Process variable to hand over the encrypted secret to the acknowledge task.

Description

Use this task to initiate a pin reset on a virtual smart card.

Once the operation is confirmed by the user through the Smart ID Desktop App, Identity Manager will receive a challenge that needs to be encrypted via the card manager key in order to authorize the pin reset. The challenge will be set in the process variable "challenge".

After this task is executed, use the 'Credentials: Calculate Minidriver Offline Unblocking Response' task to encrypt the challenge stored in the process variable "challenge" and store the encrypted challenge in the process variable "encryptedChallenge". Then you can proceed to the "Desktop App: Acknowledge PIN Reset on Virtual Smart Card" task.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodStartPinResetTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault ValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

startPinResetCallback

The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

 ${Person_Email}

ID representing the user on the messaging server. This must match the userid provided when the profile was requested.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId

 ${Card_ProfileId}Id of the profile whose pin to change, as created via 'Desktop App: Create Virtual Smart Card Key'.
smartCardId

 ${Card_VscId}Id of the virtual smart card, as created via 'Desktop App: Create Virtual Smart Card Key'.
boxId

 boxIdProcess variable to put the boxId. This will be needed to complete the pin reset.
plugoutUrl

 plugoutUrl

Process variable to put the plugout url.

Description

Use this task to initiate a pin reset on a physical smart card.

The Smart ID Desktop App, will in turn provide a challenge and a transport security key, so that the actual pin operation can be executed.

Supported operations are:

  • Reset the pin
  • Change the card manager key

The challenge Identity Manager will receive, needs to be encrypted via the card manager key in order to authorize the pin operation. The challenge will be set in the process variable "challenge" by a callback message.

The transport security key can be used to encrypt the new card manager key, when it is changed.

After this task is executed, use the 'Credentials: Calculate Minidriver Offline Unblocking Response' task to encrypt the challenge stored in the process variable "challenge" and store the encrypted challenge in the process variable "encryptedChallenge". Then you can proceed to the "Desktop App: Acknowledge PIN Reset on Virtual Smart Card" task.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodStartScPinResetTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault ValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

startPinResetCallback

The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
operation

 resetPIN

  • resetPIN: reset the user pin
  • changeAdminKey: set a new card manager key
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
driverType

MiniDriverWhat kind of driver is used for the operation. At the moment only MiniDriver is supported.
driverName

 CardOSName of the driver to be used .

Description

Use this task to complete a pin reset on a virtual smart card. Once the pin is reset by Smart ID Desktop App, Identity Manager will receive an event indicating success or failure of the operation.

As a prerequisite you must have encrypted the challenge received in the "Desktop App: Request PIN Reset on Virtual Smart Card" task.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodEndPinResetAction}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault ValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

endPinResetCallback

The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId

${Card_ProfileId}Id of the profile whose pin to change, as created via 'Desktop App: Create Virtual Smart Card Key'.
smartCardId

${Card_VscId}Id of the virtual smart card, as created via 'Desktop App: Create Virtual Smart Card Key.
boxId

${boxId}The boxId that was created with 'Desktop App: Request PIN Reset on Virtual Smart Card'
response

${encryptedChallenge}The challenge received in the callback of 'Desktop App: Request PIN Reset on Virtual Smart Card' encrypted with the card manager key of this VSC using 'Credentials: Calculate Minidriver Offline Unblocking Response'.

Description

Use this task to complete a pin operation on a virtual smart card. Once the pin is changed by Smart ID Desktop App, Identity Manager will receive an event indicating success or failure of the operation.

As a prerequisite you must have encrypted the challenge received in the "Desktop App: Request PIN Reset on Virtual Smart Card" task, and, if the pin (or card manager key) is provided by the Identity Manager is has to be encrypted for secure transport using the "Desktop/Mobile App: Encrypt Secret for Transport" task. 

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodScEndPinResetAction}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault ValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

endPinResetCallback

The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
encryptedSecret


${encryptedSecret}Only required, if the secret (like card manager key or pin) in managed by Identity Manager. It is encrypted using the "Desktop/Mobile App: Encrypt Secret for Transport" task. If the secret is entered by the user into the app, this can be omitted.
boxId

${boxId}The boxId that was created with 'Desktop App: Request PIN Reset on Virtual Smart Card'.
response

${encryptedChallenge}The challenge received in the callback of 'Desktop App: Request PIN Reset on Virtual Smart Card', encrypted with the card manager key of this VSC using 'Credentials: Calculate Minidriver Offline Unblocking Response'.

Description

Use this task to retrieve profile and device information of virtual smart cards that are managed by Smart ID Desktop App.

You can request information of a virtual smart card or of a single virtual smart card profile.

The task will put a "commandId" value into a process variable which must be used for polling the response using "Desktop App: Poll meta data from client".

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodPingRequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault ValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId


${Card_ProfileId}If provided, restrict requested information to this profile. ProfileId values are created in the 'Desktop App: Create Virtual Smart Card Key' task.
plugoutUrl

 plugoutUrl

Process variable to put the plugout url.

userid


tmp

ID representing the user on the messaging server. If a profileId parameter is set, this must match the userid provided when the profile was requested. Otherwise any value will do.

deviceInfo

true

Request device information.

profileInfo

true

Request profile information.

commandId

commandIdProcess variable to put the commandId value, which is needed for polling in the "Desktop App: Poll meta data from client" task.

Description

Use this task to poll a ping response from Smart ID Messaging based upon the 'commandId' (which was created at the ping request to Smart ID Messaging).

Execute this task after a ping request to Smart ID Messaging. It polls the message from Smart ID Messaging, based upon the provided command id. After receiving the response from Smart ID Messaging it stores the profile and device Information into configured service task parameters. 

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodPingResponsePollingTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault ValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
commandId

${commandId}CommandId which was received by the "Desktop App: Ping Virtual Smart card profile" task, needed for polling.
profileInfo

profileInfoProcess variable to put the profile information.
deviceInfo

deviceInfoProcess variable to put the device information.

Miscellaneous


Description

Use this task to create a request for the IN Groupe connector and place it in the process map.

Configuration

To use this task, configure the following delegate expression in your service task: 

${createINGroupeRequestParameterizedTask}

 The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryExample valueDescription
CoreObjectListFieldName

Card_CoreObjectDescriptorListName of the variable in the process map, which contains a list of CoreObjectDescriptors, that should be used to create the request.
OutputFieldName

OutputName of the variable in the process map, where the request xml should be output to.
ConfigurationFilePath

C:\export_mapping.propertiesAbsolute file path of the configuration file, that should be used to create the request. The configuration file needs to be encoded in UTF-8, to ensure language specific characters are displayed correctly.

statusAfterExport

-

orderedStatus that a card can take when the exporting was successfully done. 
statusOnError

-

errorInProductionStatus that a card can take when the exporting was not successfully done. 

Configuration file 

The configuration file is needed for Identity Manager to know which tag of the IN Groupe request schema should be mapped with the corresponding value from the core object. Format the configuration file as a .properties file. 

To set the value of a tag, specify the type name of the parent tag and the tag you want to modify, for example:

Example: Set a value of a tag
BatchRequestType_globalSchema = DEMANDES_2.1.XSD

The value can also be a juel expression which is available in the process map. If the expression can not be resolved it will result in an empty string.

Expressions that are always available:

  • ${CurrentDate} that resolves to the current date in "yyyyddMMhhmm" format, and
  • ${NumberOfIteration} which is a number that starts at 1 and is increased each time a core object is processed.

To set the "reference" attribute that is needed for, for example, "DataType", configure as follows: 

Example: Set reference attribute
CardType_DataType|Numero_carte = 123456789

The part after the "|" symbol represents the reference value.

Description

Use this task to read all IN Groupe report files from a folder and update any cards found inside.

Configuration

To use this task, configure the following delegate expression in your service task: 

${importINGroupeReportsParameterizedTask}

 The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryExample valueDescription
InputFolder

C:\InputThe folder which contains all the XML files.
ImportedFolder

C:\ImportedThe folder which stores already imported XML files.
ProblemFolder

C:\ProblemThe folder which contains XML files that could not be imported.

ConfigurationFilePath

C:\import_mapping.propertiesThe absolute path to the mapping file.
UniqueFieldName

Card_CardNumberThe name of the field by which each card can be identified.
StatusMappingFieldName

StatusMapping

The name of the field that references a map, containing all the available mappings between a request status and a card status.

Note: The card status values must be present in the state graph, and the transitions from one state to another must be valid.

Configuration file 

The configuration file is needed for Identity Manager to know, which field of the IN Groupe report schema should be mapped with the corresponding value from the core object. The configuration file has to be formatted as a .properties file. 

To set the value of a tag, you specify the type name of the parent tag and the tag you want to modify (EntRecType_unRef in the example below). And, on the right side of the equals we have the datapool and the field where the value needs to be written (Card_UniqueReference in the example below).

Example: Set a value of a tag
EntRecType_unRef = Card_UniqueReference

In the import mapping you also have constructs referring to complex objects from a list.  To set the "reference" attribute that is needed for, for example, "InfoType", configure as follows: 

Example: Set reference attribute
InfoType|Serial_Number_CT = Card_CardNumber

The left part of the "|" symbol shows the "InfoType" tag, which is a list containing some complex objects. The right part of the "|" symbol identifies which complex objects you will take the value from, for example "Serial_Number_CT". The value will then be added to the "CardNumber" field of the Card datapool.

Description

Use this task to create an .ics file and store it in the data map.  

Configuration

To use this task, configure the following delegate expression in your service task: 

${createIcsFileParametrizedTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatory

Default value

Description
subject


The subject of the event.
location


The location of the event.
startTime


The start time of the event.
endTime


The end time of the event.
targetField-ics_calendarSpecified where the .ics file shall be stored in the data map.
allDayEvent-falseIf set to "true" the event will be shown as an allDay event.
content


Defines the content of the event.

See following example as a reference:


Description

Use this task to create a pdf and store it in the datamap. The pdf will be generated from a Jasper Reports template.

Configuration

To use this task, configure the following delegate expression in your service task:

${generatePdfParametrizedTask}

 The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryDefault valueDescription
reportName


The name of the Jasper Report. Must be available in Identity Manager Admin.

It can also be a JUEL Expression (for example, ${myDatapool_myReportNameField}. In this way, the template names from the process map are used dynamically.

fieldName


The datamap field to which the pdf will be stored (as a byte[]).

Description 

Use this task to take a valid URL from the datamap and generate a QR code from it. 

Configuration

To use this task, configure the following delegate expression in your service task:

${generateQRCodeTask}

 The following parameters can be configured in Identity Manager Admin: 

ParameterMandatorySample ValueDescription

QRCodeLinkField

Person_HomepageDescribes the data map field in which the link is stored to create a QR code from.

QRCodeOutputField

outputThe name of the output field to which the QR code ("jpg", byte[]) will be stored.

Description

Use this task to export a binary file from the datamap into a file location on the hard drive (Server side).

Configuration

To use this task, configure the following delegate expression in your service task: 

${exportBinaryParametrizedTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
exportFilePath

Example value:

  • C:/TEMP
Defines the folder into which the binary file shall be exported.
exportFileName

Example value:

  • ${Person_FirstName}_${Person_LastName}.txt
Defines the name of the exported binary. 
exportDataMapTargetField

Example value:

  • Person_Signature
Defines the datamap field from which the action should export the binary file.

Description

Use this task to export an image from the datamap into a file location on the hard drive (Server side). The file extension will be automatically set depending on the image format.

Configuration

To use this task, configure the following delegate expression in your service task: 

${exportImageJavaDelegate}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
exportFilePath

Example value:

  • C:/TEMP
Defines the folder into which the image shall be exported.
exportFileBaseName

Example value:

  • ${Person_FirstName}_${Person_LastName}
Defines the base of the exported image. The export will append a time stamp so that it will result in, for example: John_Doe_2019-11-20_10-52-19.jpg
exportDataMapTargetField

Example value:

  • Person_Photo
Defines the datamap field from which the action should export the image.

Description

Use this task to define a ParametrizedAction which is capable of downsizing pictures inside of a Process.

Configuration

To use this task, configure the following delegate expression in your service task:

${resizeImageJavaDelegate}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
dataPoolSourceField


The datapool field in which the source image is stored.
dataPoolTargetField


The datapool field in which the target image shall be stored.
imageWidthInPx


The desired image width of the target image in px.
imageHeightInPx


The desired image height of the target image in px.
maxBinarySizeInKB-

Defines the maximum size the output file shall be. When the resize doesn't lead to the desired size, the action will perform a quality shrink (defined by spring parameter "qualityStep") as long as the size matches the size given by this parameter.

keepRatio

true

Boolean flag which indicates weather the aspect ratio of the image should be kept or not.

  • If set to true and the picture is in landscape format the dimensions are: (width = imageWithInPx | height = smaller than imageHeightInPx)
  • If set to true and the picture is in portrait format the dimensions are: (width = smaller than imageWidthInPx | height = imageHeightInPx)
qualityDescreaseStep-0.05Indicates the quality decrease step when trying to minimize the quality to reach the desired maxBinarySizeInKB.


This is a flowchart of the task:

Description

Use this task to import all rows from a CSV file as core objects.

The following must apply:

  • The file must exist in the data map as byte array.
    • To achieve this, upload a CSV file in a prior user task.
    • As form field, use either a data pool field with data type "Binary Data" or a "Variable Binary Field". The "Binary Data Definition" should be "CSV" in both cases.

Whenever there is a problem with the import, no objects will be imported at all. An exception will be thrown with a message identifying the row or even the cell that caused the problem. This message will be logged, too.

Configuration

To use this task, configure the following delegate expression in your service task:

${importIdentitiesFromCSVTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
csvField


The field which contains the CSV file as byte array. You can use a Binary Field or a Variable Binary Field.
targetCoreTemplateName


The core template name which should be used for the new core objects. This should be based on a DAO based Datapool.

commaSeparatedListOfUniqueIdentifiers


Comma separated list of the fields which identify one unique core object.
maxNumberOfEntriesInCSV

This can be used to limit the number of core objects. If it's set and there are more entries in the CSV, an Exception will be thrown.

createdCoreObjectDescriptorListVarName

When used, the variable with the configured name will contain a list of CoreObjectDescriptors after the execution. The list describes the core objects that had been newly created by the action. Thus it's possible to perform subsequent operations on those core objects later in the process.
updatedCoreObjectDescriptorListVarName

Same as for createdCoreObjectDescriptorListVarName except that the list will contain the modified core objects.

When you configure the same name as for createdCoreObjectDescriptorListVarName the resulting list will contain descriptors for both types of core objects: newly created as well as modified.

mapping

Specifying a mapping provides manifold possibilities to configure the content of the CSV file. Without a mapping the following restrictions apply:

  • The CSV file must contain a header line.
  • The column headers must be literally equal to the datapool field names of the datapool of the target core template.
  • The delimiter must be a comma.

  • The format for dates must be dd-mm-yyyy.

  • The format for time values must be hh:mm:ss.
  • The format for datetime values must be dd-mm-yyyy-hh-mm-ss.

Also consider this:

  • When providing a mapping, its source data pool describes the CSV file while it's target data pool must be the datapool of the target core template.
  • The source data pool must have a data source of type "CSV File".
  • At the data source of the source data pool you can configure, whether the CSV file contains a header row or not.
  • At the data source of the source data pool you can configure the delimiter character used in the CSV file.
  • You may leave the data source's file name empty.
  • The data pool fields of the source data pool must match the columns of the CSV file in the correct order. All fields must be of type "Text". The field names can be chosen arbitrary.
  • The field mappings of the mapping define which columns of the CSV file are imported. You may omit fields of the source data pool. All fields of the target data pool that are contained in the commaSeparatedListOfUniqueIdentifiers must be mapped.
  • If the CSV file contains columns that are mapped to data fields of the target data pool of type date, time or datetime, you must configure the format with the field mapping.
  • See here for information about creating a new or editing an existing data pool.
  • See here for information about creating a new or editing an existing mapping.
errorMessageField
ErrorMessageIf this field is provided and an error occurs, a message containing the cause is not only logged but additionally put into the variable with the specified name.

If you need to use this service task, please contact Nexus.

Description

Use this task to validate the uploaded photos. This task is compatible with FaceVACS-SDK 9.4.0.

Follow these steps:

  1. Install FaceVACS-SDK 9.4.0 on server.
  2. Import the valid license to sdk, see FaceVACS documentation.
  3. Copy the frsdkjava-9.4.0.jar in %TOMCATE_DIR%/lib. Normally the jar file is located in %FVSDK_9_4_0_DIR%/lib/x86_64/msc_14.1-sse4_crtdll/.
  4. The native library jfrsdkjni-9.4.0.dll has to be setup in TOMCAT. For example, set the CATALINA_OPTS in catalina.bat:
    • SET CATALINA_OPTS=-Djava.library.path="C:\FVSDK_9_4_0\lib\x86_64\msc_14.1-sse4_crtdll;C:/FVSDK_9_4_0/lib/x86_64/share"

Configuration

To use this task, configure the following delegate expression in your service task:

${cognitecFaceVACSValidationParametrizedTask}

The FRSDK configuration file have to be configured in the faceVACSObjectsCreater bean (needed at runtime). This file can be located in "%INSTALLDIR%/etc/frsdk.cfg".

Example
<bean id="cognitecFaceVACSValidationParametrizedAction" class="de.vps.act.action.photo.validation.CognitecFaceVACSValidationParametrizedAction">
    <property name="faceVACSChecker">
        <bean class="de.vps.act.action.photo.validation.FaceVACSChecker">
            <property name="faceVACSObjectsCreator" ref="faceVACSObjectsCreator" />
        </bean>
    </property>
</bean>
 
<bean id="faceVACSObjectsCreator" class="de.vps.act.action.photo.validation.FaceVACSObjectsCreator">
    <constructor-arg value="C:/FVSDK_9_4_0/etc/frsdk.cfg" />
</bean>

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
outputFieldName


On which variable the result of checking will be available in data map.
photoFieldName


Photo field name in data map.
checkColor-falseReturns true if the portrait characteristics are based on color and false if they are based on Gray scale (intensity) image.
checkNaturalSkinColour-falseNatural colours in face region. Returns true if the face region has natural colors, otherwise false.
checkFrontal-falseThe face is considered frontal if the rotation of the head is less than +/-5 degrees from frontal for yaw and pitch and if roll angle of head is less then +/-8 degrees.
checkEyesOpen-falseReturns true if both eyes of the person are open.
checkEyesGazeFrontal-falseReturns true if the person’s eyes are looking frontal to the camera.
checkEyesNotRed-falseReturns true if both eyes pupils are not detected as red.
checkNoTintedGlasses-falseAccording to ISO 19794-5:2005 section 7.2.11 and best recommendations glasses should not be tinted.
checkSharp-falseReturns true if the face area (from chin to crown and from left to right ear) fits the focus and depth in field characteristics(see ISO 19794-5:2005 section 7.3.3).
checkMouthClosed-falseReturns true if mouth is closed according to ISO 19794-5:2005 section 7.2.3 and appendix A 2.2.1

Description

Use this task to generate a random GUID and store it in the data pool.

Configuration

To use this task, configure the following delegate expression in your service task: 

${generateGUIDForEntityParameterizedTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
GuidDataPoolField

Example value:

  • Card_Guid
Which data pool field to store the GUID in.

Troubleshooting 

For more information, see the following links: