Upgrade from PRIME 3.9 to PRIME 3.10

This article is valid from Nexus PRIME 3.10

This article describes the steps that must be done when upgrading Nexus PRIME from version 3.9 to 3.10. The instructions cover relevant changes for standard features that can be used by configuration in PRIME Designer or configuration files. Customization changes in internal APIs etc are not included. These instructions apply when upgrading the 3.9 standard packages to 3.10.

Prerequisites

If you upgrade from a more previous version, you must do the upgrades step by step, that is, first upgrade from 3.8 to 3.9 and then from 3.9 to 3.10. If that is the case, see also Upgrade from PRIME 3.8 to PRIME 3.9.

Step-by-step instructions

Configure Personal Messaging (Hermod)

Configuration of Personal Messaging (Hermod) is moved to PRIME Designer and the settings in system.properties are obsolete. The corresponding values that have been set before in system.properties are now added in PRIME Designer.

In PRIME Designer, go to Home > Messaging Server.
Add the values there.

The parameter list in all Personal Messaging standard service tasks have changed. The reference is now only to the symbolic name of Personal Messaging (as set up in PRIME Designer), all other connection parameters have been removed. See Standard service tasks for details to the changed parameter list.

PKI Chip Encoding

For PKI chip encoding with Nexus Personal Middleware, the usage of the parameter OperatorPinIsSOCredential in the Encoding File (DSC) has been changed. From now on, it is deprecated to use OperatorPinIsSOCredential with direct values. Instead, use the more common form with the '#' prefix.

Deprecated:
OperatorPinIsSOCredential=true

Recommended:
OperatorPinIsSOCredential=#true or OperatorPinIsSOCredential=myDataPoolField

New PRIME Self-Service

The old PRIME USSP is deprecated. Deploy the new PRIME Self-Service instead from PRIME 3.10.

Also consider the following:

The tenant id is referenced in the "application.yaml"
A new permission is introduced: "Show in USSP". Only processes that have activated this permission in their corresponding user role will be shown in the new PRIME Self-Service. For instructions how to do this, see Customize PRIME Self-Service. This permission has replaced the process blacklisting in the beans.xml of the old USSP.
Menu items in the new PRIME Self-Service are configured via Search Configurations with the corresponding purpose "USSP Search". When updating PRIME from a previous version, these Search Configurations have to be added manually. Corresponding examples can be found in the PRIME 3.10 standard packages.

Changed Self-Service encoding

The Self-Service encoding is changed from Java Webstart technology to Personal Desktop App/Personal Messaging.

With PRIME 3.10 a new PKI Encoding technology is introduced for the new PRIME Self-Service.

Do the following to update old PRIME installations:

Deploy Personal Messaging as an additional application in your environment (see Install Hermod and Upgrade Hermod).
Deploy Nexus Personal Desktop App on each client that has to execute a PKI Encoding in the new PRIME Self-Service, see Install and upgrade Personal Desktop App.
Configure Personal Messaging in PRIME Designer, go to Home > Messaging Server.

Changed permissions for PRIME Explorer admin page

Permissions for the PRIME Explorer Admin page have been extended with PRIME 3.10, so that each item in the Admin page has its own permission.

Run the db_update script. The current configuration in the PRIME database is automatically updated.
Old configurations that are uploaded into PRIME (after db_update has been executed), must be adapted manually.
1. The permission "Explorer ADMIN" will disappear.
2. These are the new permissions:
  1. Explorer: ADMIN: Upload Configuration
  2. Explorer: ADMIN: Download Configuration
  3. Explorer: ADMIN: Reserve Number Ranges
  4. Explorer: ADMIN: Configure system properties
  5. Explorer: ADMIN: List processes
  6. Explorer: ADMIN: Clear cache
  7. Explorer: ADMIN: Maintenance Mode
3. Add manually the new permissions for the PRIME Explorer Admin page to the corresponding role.

Upgrade from < 3.10.1 to >=3.10.1

Updates in standard service tasks

It is recommended to maintain certificates and PKCS#10 requests in the process map as byte. Both certificates and PKCS#10 request can either be represented in their ASN.1 binary form or as utf-8 bytes of the PEM encoded form.

It is now required to get the data as byte for a number of tasks:
1. Cert: Execute PKCS10 Request (${executePKCS10RequestTask})
  - Attribute:
    - P10RequestFormEntry
2. Cert: Extract PKCS#10 Attributes From Request (${extractPKCS10AttributesFromRequestTask})
  - Attribute:
    - P10RequestFormEntry
3. Personal Messaging: Install Certificates on Personal Mobile (${hermodInstallCertificatesTask})
  - Attributes:
    - signatureCertificate
    - authenticationCertificate
    - deviceEncryptionP10
4. Personal Messaging: Install Certificates on Virtual Smartcard (${pxVscHermodInstallCertificatesTask})
  - Attributes:
    - signatureCertificate
    - authenticationCertificate
    - deviceEncryptionP10
The binary form will now be emitted from a number of tasks:
1. Cert: Execute PKCS10 Request (${executePKCS10RequestTask})
  - Attribute:
    - P10RequestFormResult
2. Personal Messaging: Create Key on Personal Mobile (${hermodKeyCreationTask})
  - Variables in the process map provided by the subsequent event:
    - SIG_P10_VAR
    - AUTH_P10_VAR
    - DEVICE_ENC_P10_VAR
3. Personal Messaging: Create Key on Virtual Smartcard (${pxVscHermodKeyCreationTask})
  - Variables in the process map provided by the subsequent event:
    - SIG_P10_VAR
    - AUTH_P10_VAR
    - DEVICE_ENC_P10_VAR
It's also necessary to do a database update as a new table was introduced.