Version: 3.12

Release Date: 2020-04-15

For information on how to upgrade from PRIME 3.11 to 3.12, read this instruction: Upgrade from PRIME 3.11 to PRIME 3.12.

Main new features

Improvements regarding SAML

  • Improved usability of SAML configuration
  • Possibility for multiple Service Providers
  • New authentication profile combining SAML and LDAP

Object relation types

Object Relation Types are introduced so that you can have more information about the purpose and type of object relations.

ACME registration 

There is a new standard service task that can be used to register devices/services for ACME certificate enrollment via Nexus Certificate Manager of version 8.1 and later.

Detailed feature list

Features

Jira ticket numberDescription
CRED-7081

External PKI Connector support removed

All supported PKI connectors in PRIME have been moved into the PRIME application as internal connectors. The old external PKI (separate WAR file connected via HTTPS) is no longer supported. The functionality is obsolete and has therefore been removed.

CRED-8071

eIDAS compliant card with Gemalto MD940 chip supported

With this release, eIDAS compliant encoding of smart cards with Gemalto MD940 chips is supported via the Safenet Pkcs#11 Middleware. Specifically accessing the second card slot to write the signing certificate is now implemented.

CRED-8257

Introducing Object Relation Types

So far, PRIME can set up relations between any objects in the systems (for example, cards connected to a person, certificates on cards, requests related to persons etc.). Sometimes, it is necessary to have more information about the purpose and type of the relations - for example, are you owner of the object, responsible (e.g. for a key) etc. With this new feature, custom types can be defined that can be set when the object relations are established. And also, it is possible to filter in search configs on certain object types so that PRIME can limit the view for certain user groups to relations of a certain type. See Set up search configuration in Identity Manager

CRED-8308

Improved standard service task "Core Objects: Drop relations"

The existing standard service task to drop object relations has been improved. In former releases, it was only possible to drop all relations to all other objects of a certain type. Now it is possible to select a specific object (for example, one single card that is linked to a user) and drop the corresponding relation. See "Core Objects: Drop Relation" in Standard service tasks in Identity Manager.

CRED-8315

Certificate provisioning to Windows Certificate store supported

PRIME now supports certificate provisioning to Windows Certificate store via Personal Desktop App. An end user can request or recover a certificate via Self-Service, the Pkcs#12 Softtoken can be delivered directly into the user's Windows Certificate store.

CRED-8543

Support for new certificate attribute for eIDAS compliance

This release supports the new Organization Identifier (OID 2.5.4.97) certificate attribute that is required for eIDAS compliant certificates. Currently it is supported in combination with Smart ID Certificate Manager or EJBCA. 

CRED-8556

ACME registration in Nexus Certificate Manager

With Certificate Manager 8.1, certificate enrollment via ACME has been introduced. PRIME provides a new standard service task to register devices/services for ACME certificate enrollment via CM version >= 8.1. See "Cert: Create ACME pre-registration order" in Standard service tasks in Identity Manager.

CRED-8572

Automatic data conversion in BatchSync improvements

Basic type conversions that do not require any additional configuration (for example, numbers from source to string in target) will be done automatically now.

Typical use case: import a number from a text file into a numeric database field.

CRED-8711

Revised SAML configuration and added support for multiple Service Providers

The whole SAML configuration in PRIME Designer has been revised and simplified. There are less parameters to configure, and the process is now easier to understand. At the same time possibility to set up multiple Service Providers (SP) for Nexus PRIME has been introduced. For example, Self-Service vs. Explorer, or if different Explorer instances need to be identified by the Identity Provider (IDP). See Enable two-factor authentication to Identity Manager clients via SAML federation.

CRED-8914

Cosmo 8.2 cards with Idemia middleware supported

This release of PRIME supports the Cosmo 8.2 smart cards with the latest version of Idemia Pkcs#11 middleware.

CRED-8995

New standard service task allows to load specific properties into the BPMN process

PRIME allows to set general purpose, custom properties in the Admin area of Explorer. This service task allows to load specific properties into the BPMN process, to use the corresponding parameters during process execution. See "Process: Load value(s) of SystemProperties into process map" in Standard service tasks in Identity Manager.

CRED-8996

New standard service task allows to validate data field via a regular expression

A new standard service task has been introduced to validate any data field in a process via a regular expression. See "Process: Validate a value in the Process Map against a regular expression" in Standard service tasks in Identity Manager.

CRED-9008 

Improved security for soft tokens

The security has been improved for all use cases issuing Pkcs#12 soft tokens in Nexus PRIME. By default, all soft tokens are now encrypted with an AES-256 key. For applications that can not handle AES-256, there is now a parameter available in the standard soft token service task to change the encryption to another algorithm. See "Cert: Request & Recover PKCS#12 Soft Token" in Standard service tasks in Identity Manager.

CRED-9019

New authentication profile combining SAML and LDAP

Besides the current SAML authentiction we introduced a new authentication profile that combines a SAML-based authentcation with LDAP. This means that the authentication itself is done via the SAML ticket, and authorization is done via LDAP Groups, so that assigning certain roles to users in PRIME can be managed via the directory service. See Set up authentication profile in Identity Manager.

CRED-9204

Introduced general process properties

In some cases, PRIME users want to set global parameters that will be used in every BPMN process. Therefore we introduced a new section in the Properties configuration in PRIME Explorer for these values. A "timeout duration" is now default, which can be used to define a global parameter, used to terminate pending processes after a certain time. See Set up timeout duration for processes in Identity Manager

CRED-9260

Standard service task: X.509 certificate parsing

This PRIME release introduces an new standard service task that can be used to extract data out of a X.509 certificate (for example, Subject DN, key size, Validity or RSA public exponent). The available attributes can then be processed in further steps of the BPMN flow. See "Cert: Extract Certificate Attributes" in Standard service tasks in Identity Manager.

CRED-9267

Support for latest release of Nexus Certificate Manager

This release of Nexus PRIME supports Smart ID Certificate Manager 8.1.

CRED-9292

Extended Standard service task for Certificate Request parsing

The existing standard service task "Cert: Extract Pkcs#10 Attributes From Request" has been extended. Now it is possible to extract key length, key type, hash algorithm and the signature of the Pkcs#10 request can be verified. See "Cert: Extract Pkcs#10 Attributes From Request" in Standard service tasks in Identity Manager.

IDC-1366

Show connector status in PACS admin panel

The PACS admin panel has been improved. The current connector status (active, inactive, last ping etc.) for each connected PACS system can now be displayed.

IDC-1431

Sending Audit Flag to Salto PACS

The PACS connector to Salto has been improved: It is now possible to configure if an "audit flag" is sent as part of the provisioning requests. This automatically activates the audit functionality in Salto for the specific user. See Set up integration with Salto.

Corrected bugs

KeyDescription
CRED-6459

Sending emails failed when attachment was configured but no attachment data was present. This is fixed now, email will be sent anyway.

CRED-8737

Fixed error handling on certificate login in PRIME Explorer. User will get an error message instead of getting redirected to username/password page when certificate login fails.

CRED-8742

Fixed an issue in the error handling of the "Change State in CA" process task.

CRED-8754

Fixed a setting of friendly name when issuing Pkcs#12 soft token.

CRED-8923

Fixed an issue in certificate validation when using certificate based authentication.

CRED-8924

Fixed a padding issue of RSA keys when recovering certificates from a PKI.

CRED-8929

Fixed an issue with config export of authentication token in the Messaging Server configuration.

CRED-9015

Fixed multi-value support for SAN_DNS and SAN_IP attributes in the D-Trust connector.

CRED-9071

Fixed an issue when opening Personal Desktop App via PRIME Explorer with the latest version of Chrome.

CRED-9099

Improved error handling when misconfigured CA config/certificate templates are executed in an encoding.

CRED-9152

The "Create PDF" standard service task didn't resolve encrypted fields. This has been fixed.

CRED-9169

Improved error handling when receiving response from Messaging Server. More meaningful error states are provided now.

CRED-9173

Fixed an issue when receiving certificates via distribution rules from Nexus Certificate Manager.

CRED-9175

Fixed error handling when using encoding descriptions without field mapping.

CRED-9178

Fixed an issue when using Boolean attributes in LDAP searches.

CRED-9235

Invoking ordinary datapool fields from process map in a search filter didn't work in PRIME Self-Service. This has been fixed.

CRED-9247

Fixed an issue when using multi-level search in batch orders.

CRED-9264

It was not possible to delete specific certificates on a smart card without deleting the corresponding keys. This has been fixed.

CRED-9309

Fixed translation of "meta fields" (like object status, Template name etc.) in PRIME Self-Service.

CRED-9310

Fixed an issue when PDF creation (via standard service task "Create PDF") is triggered in a PRIME Self-Service process.

CRED-9325

Fixed an issue with download of Pkcs#12 soft token files in PRIME Explorer and PRIME Self-Service.

CRED-9341

Fixed an issue with download of PDF files in PRIME Self-Service.

CRED-9351

Fixed an issue when showing object lists in in PRIME Self-Service.

CRED-9357

It did not work to request issuing CA certificates via Pkcs#10 upload. This has been fixed.

Release announcement

Important notes on this release

Limitations

For information on limitations, see Limitations for Identity Manager.

Contact

Contact Information

For information regarding support, training and other services in your area, please visit our website at www.nexusgroup.com/

Support

Nexus offers maintenance and support services for Nexus PRIME to customers and partners. For more information, please refer to the Nexus Technical Support at www.nexusgroup.com/support/, or contact your local sales representative.