Skip to main content
Skip table of contents

Upgrade from PRIME 3.11 to PRIME 3.12

This article is valid from Nexus PRIME 3.12

This article describes the steps that must be done when upgrading Nexus PRIME from version 3.11 to 3.12. The instructions cover relevant changes for standard features that can be used by configuration in PRIME Designer or configuration files. Customization changes in internal APIs etc are not included.

If you upgrade from a more previous version, you must do the upgrades step by step, that is, first upgrade from 3.10 to 3.11 and then from 3.11 to 3.12. If that is the case, see also Upgrade from PRIME 3.10 to PRIME 3.11.


Upgraded PRIME to 3.12, see Upgrade PRIME.

Upgrade information

SAML configuration

The SAML implementation has been revised and significant changes have been done to simplify the configuration.

For that reason, there is no automated upgrade path for an existing SAML configuration. SAML authentication profiles from previous releases have to be deleted and re-configured when upgrading to 3.12.

For details on how to configure SAML in PRIME 3.12, see chapters "Configure SAML SSO Core Object profile" and "Configure SAML SSO LDAP profile" in Set up authentication profile.

Nexus Certificate Manager integration

With PRIME 3.12 the latest major release of Nexus Certificate Manager (CM), version 8.1, is supported. With CM 8, several changes have been done in the integration interfaces. A downgrade to older CM versions just by replacing corresponding CMSDK files, is no longer possible. It is therefore highly recommend to upgrade CM to version 8.1. If you cannot upgrade immediately, there is a backport patch to CM version 7.18.1. See separate instructions that are delivered with the patch for details.

External PKI interfaces removed

All PRIME PKI connectors have been moved to the internal connector architecture. This was done already with the previous PRIME release. Therefore the old "External CA Connector" interface is no longer needed and it has been removed in the PRIME Designer configuration.

If you still have a PKI connected via this interface, you need to switch to the corresponding internal PRIME connector instead.

Trustserver functionality changed

As part of external PKI connector cleanup, the old "trustserver" functionality has been changed. "trustserver" was used in early PRIME projects to store sensitive data (like PIN and PUK) in Nexus Certificate Manager. Since sensitive data now can be encrypted also in PRIME, the trustserver functionality is only kept for compatibility reasons for existing PRIME installations.

Therefore the standalone usage of "trustserver" is no longer supported. Only the "combined" approach (new secrets are stored in PRIME internally, fallback is to check trustserver) can be used with PRIME 3.12.

In earlier releases, this functionality required configuration in PRIME Designer, PRIME Explorer and PRIME Tenant. The current implementation requires a available in all three applications. But only PRIME Explorer needs a working configuration, see an example file below. In PRIME Designer and PRIME Tenant, the file can be empty.

Example of

# config for trustserver
certificateManagerIssuerIdentifier=CN=CM DEV Issuing CA, O=CM DEV, C=DE
Changes in engineSignEncrypt.xml

Cleanup and restructuring has been done in engineSignEncrypt.xml:

  1. Remove these entries from the file, as they are obsolete. You can also leave them as they are, as they will have no effect.
    1. PasswordDescriptor
    2. SecretFields01
    3. signCertZipConfg
  2. Update these renamed entries in the file:
    1. Replace "PasswordDescriptor02" with "EncryptedFields".
    2. Replace "JWTDescriptor" with "SelfServiceJWTSigner".
  3. Duplicate the "SignVerifyDescriptor".
  1. In the first copy, replace "SignVerifyDescriptor" with "ObjectHistorySigner" (if you have multiple entries of SignVerifyDescriptor, use the one with the highest "key" attribute).
  2. In the second copy, replace "SignVerifyDescriptor" with "ConfigZipSigner".
  3. Optionally two different keys can be used for "ConfigZipSigner" and "ObjectHistorySigner".
  • Check the file in PRIME Explorer for the renamed attributes.
    1. At least the "SignVerifyDescriptor" should be present there and needs to be replaced with "ObjectHistorySigner".
    2. Also replace other attributes that you might find, as explained above.
  • Remove the "reuseKey" attribute in all descriptors, as it is obsolete.
  • See Sign and encrypt engine for more information. Also, see the updated engineSignEncrypt.xml in the PRIME 3.12 delivery for further information.

    Upgraded Groovy Script Engine

    The Groovy Script Engine has been updated from version 2.4 to version 3.0. Some Interfaces have changed or have been deprecated in Groovy 3.0. This might cause that custom Groovy scripts are failing after the update.

    Please check the corresponding release notes or change logs to verify if your custom scripts are affected and adapt your scripts if necessary.

    Manual update of processes

    For PRIME 3.12.4, these standard service tasks are updated, and the value for the parameter storagePriority is changed from TPM to VSC:

    Both tasks are used in the standard workflow Creation of virtual smartcard (Id: PcmSubProcCreationOfVSC), used in the module Digital Id.

    1. After uploading the module Digital Id into PRIME Designer, go to Home > Process Import.
    2. Search for the process name Creation of virtual smartcard or the process id PcmSubProcCreationOfVSC and double-click on it to open it.
    3. Under Attributes you see the two service tasks. Click Edit on the first task.
    4. Change the parameter storagePriority to VSC.
    5. Do the same for the other service task.
    6. Click Save.

    Upgrade from PRIME 3.11.5 to 3.11.6

    Add tenant ID for cron user

    The cron user requires a tenant ID again.

    1. Set cronUsername, cronPassword and cronTenantId in for Identity Manager Operator accordingly. See List of Identity Manager system properties.

    Upgrade from PRIME 3.12.14 to 3.12.16

    Add tenant ID for cron user

    The cron user requires a tenant ID again.

    1. Set cronUsername, cronPassword and cronTenantId in for Identity Manager Operator accordingly. See List of Identity Manager system properties.

    Additional information

    JavaScript errors detected

    Please note, these errors can depend on your browser setup.

    If this problem persists, please contact our support.