Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor


SEO Metadata
titleUpgrade from PRIME 3.11 to PRIME 3.12

This article describes the steps that must be done when upgrading Nexus PRIME from version 3.11 to 3.12.

This article describes the steps that must be done when upgrading Nexus PRIME from version 3.11 to 3.12. The instructions cover relevant changes for standard features that can be used by configuration in PRIME Designer or configuration files. Customization changes in internal APIs etc are not included.

If you upgrade from a more previous version, you must do the upgrades step by step, that is, first upgrade from 3.10 to 3.11 and then from 3.11 to 3.12. If that is the case, see also Upgrade from PRIME 3.10 to PRIME 3.11.

Expandall

Prerequisites

Expand
titlePrerequisites

Upgraded PRIME to 3.12, see Upgrade PRIME.

Upgrade information

Expand
titleSAML configuration

The SAML implementation has been revised and significant changes have been done to simplify the configuration.

For that reason, there is no automated upgrade path for an existing SAML configuration. SAML authentication profiles from previous releases have to be deleted and re-configured when upgrading to 3.12.

For details on how to configure SAML in PRIME 3.12, see chapters "Configure SAML SSO Core Object profile" and "Configure SAML SSO LDAP profile" in Set up authentication profile.


Expand
titleNexus Certificate Manager integration

With PRIME 3.12 the latest major release of Nexus Certificate Manager (CM), version 8.1, is supported. With CM 8, several changes have been done in the integration interfaces. A downgrade to older CM versions just by replacing corresponding CMSDK files, is no longer possible. It is therefore highly recommend to upgrade CM to version 8.1. If you cannot upgrade immediately, there is a backport patch to CM version 7.18.1. See separate instructions that are delivered with the patch for details.


Expand
titleExternal PKI interfaces removed

All PRIME PKI connectors have been moved to the internal connector architecture. This was done already with the previous PRIME release. Therefore the old "External CA Connector" interface is no longer needed and it has been removed in the PRIME Designer configuration.

If you still have a PKI connected via this interface, you need to switch to the corresponding internal PRIME connector instead.


Expand
titleTrustserver functionality changed

As part of external PKI connector cleanup, the old "trustserver" functionality has been changed. "trustserver" was used in early PRIME projects to store sensitive data (like PIN and PUK) in Nexus Certificate Manager. Since sensitive data now can be encrypted also in PRIME, the trustserver functionality is only kept for compatibility reasons for existing PRIME installations.

Therefore the standalone usage of "trustserver" is no longer supported. Only the "combined" approach (new secrets are stored in PRIME internally, fallback is to check trustserver) can be used with PRIME 3.12.

In earlier releases, this functionality required nexus_cm.properties configuration in PRIME Designer, PRIME Explorer and PRIME Tenant. The current implementation requires a trustserver.properties available in all three applications. But only PRIME Explorer needs a working configuration, see an example file below. In PRIME Designer and PRIME Tenant, the file can be empty.

Code Block
titleExample of truststore.properties
# config for trustserver
cmConnectorConfigName=InternalCMConnector
caTokenProcedureStoreSecret=handleCardsSecrets
caTokenProcedureRecovery=TP_RecoverKey
caTokenProcedureImportCert=Import_MyCertificate
certificateManagerIssuerIdentifier=CN=CM DEV Issuing CA, O=CM DEV, C=DE



Expand
titleChanges in engineSignEncrypt.xml

Cleanup and restructuring has been done in engineSignEncrypt.xml:

  1. Remove these entries from the file, as they are obsolete. You can also leave them as they are, as they will have no effect.
    1. PasswordDescriptor
    2. SecretFields01
    3. signCertZipConfg
  2. Update these renamed entries in the file:
    1. Replace "PasswordDescriptor02" with "EncryptedFields".
    2. Replace "JWTDescriptor" with "SelfServiceJWTSigner".
  3. Duplicate the "SignVerifyDescriptor".
    1. In the first copy, replace "SignVerifyDescriptor" with "ObjectHistorySigner" (if you have multiple entries of SignVerifyDescriptor, use the one with the highest "key" attribute).
    2. In the second copy, replace "SignVerifyDescriptor" with "ConfigZipSigner".
    3. Optionally two different keys can be used for "ConfigZipSigner" and "ObjectHistorySigner".
  4. Check the system.properties file in PRIME Explorer for the renamed attributes.
    1. At least the "SignVerifyDescriptor" should be present there and needs to be replaced with "ObjectHistorySigner".
    2. Also replace other attributes that you might find, as explained above.
  5. Remove the "reuseKey" attribute in all descriptors, as it is obsolete.

See Sign and encrypt engine for more information. Also, see the updated engineSignEncrypt.xml in the PRIME 3.12 delivery for further information.


Expand
titleUpgraded Groovy Script Engine

The Groovy Script Engine has been updated from version 2.4 to version 3.0. Some Interfaces have changed or have been deprecated in Groovy 3.0. This might cause that custom Groovy scripts are failing after the update.

Please check the corresponding release notes or change logs to verify if your custom scripts are affected and adapt your scripts if necessary.


Expand
titleNew and updated standard service tasks

All standard service tasks are found here: Standard service tasks.

New standard service tasks for PRIME 3.12

Updated standard service tasks for PRIME 3.12

Updated standard service tasks not related to the 3.12 release


Expand
titleManual update of processes

For PRIME 3.12.4, these standard service tasks are updated, and the value for the parameter storagePriority is changed from TPM to VSC:

Both tasks are used in the standard workflow Creation of virtual smartcard (Id: PcmSubProcCreationOfVSC), used in the module Digital Id.

  1. After uploading the module Digital Id into PRIME Designer, go to Home > Process Import.
  2. Search for the process name Creation of virtual smartcard or the process id PcmSubProcCreationOfVSC and double-click on it to open it.
  3. Under Attributes you see the two service tasks. Click Edit on the first task.
  4. Change the parameter storagePriority to VSC.
  5. Do the same for the other service task.
  6. Click Save.

Upgrade from PRIME 3.11.5 to 3.11.6

Expand
titleAdd tenant ID for cron user

The cron user requires a tenant ID again.

  1. Set cronUsername, cronPassword and cronTenantId in system.properties for Identity Manager Operator accordingly. See List of Identity Manager system properties.

Upgrade from PRIME 3.12.14 to 3.12.

15

16

Expand
titleAdd tenant ID for cron user

The cron user requires a tenant ID again.

  1. Set cronUsername, cronPassword and cronTenantId in system.properties for Identity Manager Operator accordingly. See List of Identity Manager system properties.


This article is valid from Nexus PRIME 3.12

Related information

Links