Description
This task will create up to three template PKCS#10 requests:
- Signature Certificate (if template name is provided)
- Authentication Certificate (if template name is provided)
- Device Encryption (always, used to secure the communication with Personal Mobile)
These requests then will be sent to the mobile phone, where a key pair is created and bound to the requests. (This approach makes sure the private keys won't leave the mobile phone.) The requests will, in turn, be sent to the message catching intermediate event identified by the parameter 'messageName'.
In PRIME 3.9 this task can be configured to either provision a new profile, or to update an existing profile, overwriting any existing keys with the respective key id.
Configuration
To use this task, configure the following delegate expressing in your service task:
${hermodKeyCreationTask}
The following parameters can be configured in PRIME Designer:
| Parameter | Mandatory | Sample value | Description |
|---|---|---|---|
messageName |
|
| The name of the message in the message event in the process which is reacting on the callback. |
| userid |
| The field in the dataMap that should be mapped to the userId for Hermod. This will be shown to user on the mobile phone, to verify the correct data is provided. | |
| lifespan |
| 300 | Lifespan of command for Hermod in seconds. After this the command is removed from history and the provisioning will fail. |
| timeout |
| 250 | Timeout of command for Hermod in seconds (must be < lifespan). After this, the command is removed from message box, but kept for polling until lifespan is reached. |
| errorMessageField |
| ErrorMessage | Datamap field to contain error message in case of failure. |
| errorTypeField |
| ErrorType | Datamap field to contain error type in case of failure. |
| signCertificateTemplate | - | Certificate template for the signature certificate. Leave blank if no signature certificate is desired | |
| authCertificateTemplate | - | Certificate template for the authentication certificate. Leave blank if no authentication certificate is desired | |
| profileName | new profile | Name of the profile for Hermod. As displayed in Personal Mobile App | |
| serverName | new profile | Name of the server that issued the provisioning request. | |
| qrResultField | new profile | QR_CODE_VAR | The field in the dataMap where the resulting url should be stored in. This url might be converted to a QR-Code to be used by Personal Mobile App. GenerateQRCodeParametrizedAction can be used to generate this QR code. |
| profileId | update | Expression resolving to the Personal Mobile profile ID of the profile that shall be updated with new keys. |
Description
Use this task to create up to three template PKCS#10 requests:
- Signature Certificate (if template name is provided)
- Authentication Certificate (if template name is provided)
- Device Encryption (always, used to secure the communication with Personal Desktop App)
These requests will then be sent to Personal Desktop App, where a key pair is created and bound to the requests. (This approach makes sure the private keys won't leave the TPM.) The requests will, in turn, be sent to the message catching intermediate event identified by the parameter 'messageName'.
This task can be used only when provision a new profile - updating an existing profile is only supported in Personal Mobile at this time, not in Personal Desktop App.
Configuration
To use this task, configure the following delegate expressing in your service task:
${pxVscHermodKeyCreationTask}
The following parameters can be configured in PRIME Designer:
| Parameter | Mandatory | Sample Value | Description |
|---|---|---|---|
messageName |
|
| The name of the message in the message event in the process which is reacting on the callback. |
| lifespan |
| 300 | Lifespan of command for Hermod in seconds. After this the command is removed from history and the provisioning will fail. |
| timeout |
| 250 | Timeout of command for Hermod in seconds (must be < lifespan). After this, the command is removed from message box, but kept for polling until lifespan is reached. |
| errorMesageField |
| ErrorMessage | Datamap field to contain error message in case of failure. |
| errorTypeField |
| ErrorType | Datamap field to contain error type in case of failure. |
| userid |
| The field in the dataMap that should be mapped to the userId for Hermod. This will be displayed in Personal Desktop App. | |
| signCertificateTemplate | - | Certificate template for the signature certificate. Leave blank if no signature certificate is desired. | |
| authCertificateTemplate | - | Certificate template for the authentication certificate. Leave blank if no authentication certificate is desired. | |
| profileName |
| Name of the profile for Hermod. Will be displayed in Personal Desktop App. | |
| serverName |
| Name of the server that issued the provisioning request. | |
| plugoutResultField |
| plugoutUri | The field in the dataMap where the resulting Personal Plugout URI should be stored (to be used by a user task for displaying the plugout URI). |
| adminKey |
| Card_CardManagerKey | Name of secret field reference of 24-byte 3DES admin key in HEX format. The key can also be set directly as plain hex value for testing. Note: Personal Desktop App's own default is 123456781234567812345678123456781234567812345678, but you must make sure PRIME always defines the value! |
| smartCardId |
| ${Card_VscId} | Expression that resolves to a generated ID for the virtual smartcard. Usually it will be created via a dedicated number-range. |
| provisionReader |
| CreateTPM | CreateTPM (create a new VSC on the TPM) / FreeTPM (use first free VSC on the TPM) / 0TPM / 1TPM / ... / 15TPM (use specific VSC on the TPM). The value is passed as-is to Personal Desktop App. Creating a new VSC with Personal Desktop App requires it to run with a local admin account - this is not needed for using a pre-created VSC. Pre-created VSCs are required to have the Tpmvscmgr default admin key of 010203040506070801020304050607080102030405060708 see https://docs.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr - this admin key will be overwritten with the one specified in the adminKey parameter listed above. You can create a new VSC with this command as admin user: TpmVscMgr create /name MyVSC /pin default /adminkey default /generate [optional params go here] This will also set the PIN to 12345678 (Personal Desktop App currently does not reset the PIN - use /pin prompt to set a custom PIN). Also the PIN policy is defined through TpmVscMgr (see link above for optional /pinpolicy parameter docs and the respective defaults). |
| pinMinLength |
| 6 | Min. length of the VSC PIN (Windows API allows 4-127 characters, see https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardpinpolicy.minlength) |
| pinMaxLength |
| 15 | Max length of the VSC PIN (Windows API allows 4-127 characters, see https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardpinpolicy.maxlength) |
| pinUppercase |
| ALLOWED | Whether uppercase chars in the PIN are ALLOWED / DISALLOWED / REQUIRED |
| pinLowercase |
| ALLOWED | Whether lowercase chars in the PIN are ALLOWED / DISALLOWED / REQUIRED |
| pinDigits |
| ALLOWED | Whether digits in the PIN are ALLOWED / DISALLOWED / REQUIRED |
| pinSpecialChars |
| ALLOWED | Whether special chars in the PIN are ALLOWED / DISALLOWED / REQUIRED |
Description
Use this service task to end a connection to Hermod.
Configuration
To use this task, configure the following delegate expressing in your service task:
${hermodEndConnectionParametrizedTask}
The following parameters can be configured in PRIME Designer:
| Parameter | Mandatory | Default value | Description |
|---|---|---|---|
lifespan |
| 300 | |
| timeout |
| 250 | |
| boxId |
| The datamap field into which the boxId shall be inserted | |
| messageToUser | - | An optional message to the user which will be displayed in the client application. | |
| messageName |
| This field describes the name of the bpmn MessageCatchEvent which will be called once the connection was ended successfully on the client. |
Description
Use this service task to execute a script via Hermod. The script needs to be passed as a JSON array (for example: [{"type":"APDU", "data":"00A4040000", "response":".*(9000)"}])
Configuration
To use this task, configure the following delegate expressing in your service task:
${hermodExecuteScriptParametrizedTask}
The following parameters can be configured in PRIME Designer:
| Parameter | Mandatory | Default value | Description |
|---|---|---|---|
lifespan |
| 300 | |
| timeout |
| 250 | |
| boxId |
| The datamap field into which the boxId shall be inserted | |
| scriptCommands |
| The datamap field where the script commands are stored. The commands need to be formatted as a JSON array (for example: [{"type":"APDU", "data":"00A4040000", "response":".*(9000)"}]) | |
| messageToUser | - | An optional message to the user which will be displayed in the client application. | |
| messageName |
| This field describes the name of the bpmn MessageCatchEvent which will be called once the script was executed successfully on the client. |
Description
Use this task to install a number of certificates on the mobile phone:
- Signature Certificate, will be bound to the key pair created by Hermod Key Creation
- Authentication Certificate, will be bound to the key pair created by Hermod Key Creation
- Device Encryption Certificate, will be bound to the key pair created by Hermod Key Creation
- Encryption Certificate create with key archival (Only if certificate template is provided)
- Any number of recovered certificates. can be used to prepare the data.
Configuration
To use this task, configure the following delegate expressing in your service task:
${hermodInstallCertificatesTask}
The following parameters can be configured in PRIME Designer:
| Parameter | Mandatory | Sample value | Description |
|---|---|---|---|
messageName |
|
| The name of the intermediate message catching event used to provide the result of installing the certificates. Basically success or failure. |
| userid |
| The field in the dataMap that should be mapped to the userId for Hermod. This will be shown to user on the mobile phone, to verify the correct data is provided. | |
| lifespan |
| 300 | Lifespan of command for Hermod in seconds. After this, the command is removed from history and the provisioning will fail. |
| timeout |
| 250 | Timeout of command for Hermod in seconds (must be < lifespan). After this, the command is removed from message box, but kept for polling until lifespan is reached. |
| errorMessageField |
| ErrorMessage | Datamap field to contain error message in case of failure. |
| errorTypeField |
| ErrorType | Datamap field to contain error type in case of failure. |
| signatureCertificate | - | ${SIG_VAR} | The signature certificate created using the PKCS#10 request from the mobile. Leave blank or use an expression pointing to an empty field if no signature certificate is desired. |
| authenticationCertificate | - | ${AUTH_VAR} | The authentication certificate created using the PKCS#10 request from the mobile. Leave blank or use an expression pointing to an empty field if no authentication certificate is desired. |
| deviceEncryptionP10 |
| ${DEVICE_ENC_P10_VAR} | The PKCS#10 request of the Device Encryption Certificate. This is provided by Hermod through the message event mentioned in Hermod Key Creation. |
| profileId |
| profileId | The id of profile created on the mobile. This is provided by Hermod through the message event mentioned in Hermod Key Creation. |
| serverName |
| Name of the server that issued the provisioning request. | |
| encryptionCertificate | - | Certificate template for encryption certicate. Or leave it blank is not desired. | |
| recoveryCertificate | - | Certificate template used to recover the certifiactes provided in the processVariable | |
| processVariable | - | List of core object ids of certificates to be recovered. | |
| p12PasswordField |
| Reference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords. |
Description
Use this task to install a number of certificates on the virtual smartcard through Personal Desktop App.
- Signature Certificate, will be bound to the key pair created by 'Personal Server: Create Key'
- Authentication Certificate, will be bound to the key pair created by 'Personal Server: Create Key'
- Device Encryption Certificate, will be bound to the key pair created by 'Personal Server: Create Key'
- Encryption Certificate create with key archival (Only if certificate template is provided)
- Any number of recovered certificates.
prepareDataForCertificateKeyRecoveryTaskcan be used to prepare the data.
Configuration
To use this task, configure the following delegate expressing in your service task:
${pxVscHermodInstallCertificatesTask}
The following parameters can be configured in PRIME Designer:
| Parameter | Mandatory | Sample Value | Description |
|---|---|---|---|
messageName |
|
| The name of the intermediate message catching event used to provide the result of installing the certificates. Basically success or failure. |
| userid |
|
| The field in the dataMap that should be mapped to the userId for Hermod. This will be displayed in Personal Desktop App. |
| lifespan |
| 300 | Lifespan of command for Hermod in seconds. After this the command is removed from history and the provisioning will fail. |
| timeout |
| 250 | Timeout of command for Hermod in seconds (must be < lifespan). After this, the command is removed from message box, but kept for polling until lifespan is reached. |
| errorMessageField |
| ErrorMessage | Datamap field to contain error message in case of failure. |
| errorTypeField |
| ErrorType | Datamap field to contain error type in case of failure. |
| signatureCertificate | - | ${SIG_VAR} | The signature certificate created using the PKCS#10 request from the VSC. Leave blank or use an expression pointing to an empty field if no signature certificate is desired. |
| authenticationCertificate | - | ${AUTH_VAR} | The authentication certificate created using the PKCS#10 request from the VSC. Leave blank or use an expression pointing to an empty field if no authentication certificate is desired. |
| deviceEncryptionP10 |
| ${DEVICE_ENC_P10_VAR} | The PKCS#10 request of the Device Encryption Certificate. This is provided by Hermod through the message event mentioned in Hermod Key Creation. |
| profileId |
| ${profileId} | The id of profile created on the TPM. This is provided by Hermod through the message event mentioned in Hermod Key Creation. |
| serverName |
| Name of the server that issued the provisioning request. | |
| encryptionCertificate | - | Certificate template for encryption certificate. Or leave it blank if not desired. | |
| recoveryCertificate | - | Certificate template used to recover the certificates provided in the processVariable. | |
| processVariable | - | List of core object ids of certificates to be recovered. | |
| p12PasswordField |
| Reference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords. | |
| smartCardId |
| ${Card_VscId} | Expression that resolves to a generate ID for the virtual smartcard. Usually it will be created via a dedicated number-range. |
Description
Use this task to start to establish a connection to a virtual smart card in order to reset the pin. Once the operation is allowed by the user through Personal Desktop App, PRIME will receive an event containing a challenge, that need to be encrypted via the card manager key in order to authorize the pin reset.
Configuration
To use this task, configure the following delegate expressing in your service task:
${hermodStartPinResetTask}
The following parameters can be configured in PRIME Designer:
| Parameter | Mandatory | Sample Value | Description |
|---|---|---|---|
messageName |
|
| The name of the message in the message event in the process which is reacting on the callback. |
| userid |
| ${Person_Email} | The field in the dataMap that should be mapped to the userId for Hermod. This will be shown to user on the mobile phone, to verify the correct data is provided. |
| lifespan |
| 300 | Lifespan of command for Hermod in seconds. After this the command is removed from history and the provisioning will fail. |
| timeout |
| 250 | Timeout of command for Hermod in seconds (must be < lifespan). After this, the command is removed from message box, but kept for polling until lifespan is reached. |
| errorMessageField |
| ErrorMessage | Datamap field to contain error message in case of failure. |
| errorTypeField |
| ErrorType | Datamap field to contain error type in case of failure. |
| profileId |
| ${Card_ProfileId} | As created via 'Personal server: Create virtual smartcard key' |
| smartCardId |
| ${Card_VscId} | As created via 'Personal server: Create virtual smartcard key' |
| boxId |
| boxId | Name of a variable to store the boxId. This will be necessary to acknowledge the PIN reset. |
| plugoutUrl |
| plugoutUrl | Name of a variable to store the plugout url that will open Personal Desktop App on the client machine. |
Description
Use this task to establish a connection to a virtual smart card in order to reset the PIN. Once the PIN is reset by Personal Desktop App, PRIME will receive an event indicating success or failure of the operation.
Configuration
To use this task, configure the following delegate expressing in your service task:
${hermodEndPinResetTask}
The following parameters can be configured in PRIME Designer:
| Parameter | Mandatory | Sample Value | Description |
|---|---|---|---|
messageName |
|
| The name of the message in the message event in the process which is reacting on the callback. |
| lifespan |
| 300 | Lifespan of command for Hermod in seconds. After this the command is removed from history and the provisioning will fail. |
| timeout |
| 250 | Timeout of command for Hermod in seconds (must be < lifespan). After this, the command is removed from message box, but kept for polling until lifespan is reached. |
| errorMessageField |
| ErrorMessage | Datamap field to contain error message in case of failure. |
| errorTypeField |
| ErrorType | Datamap field to contain error type in case of failure. |
| profileId |
| ${Card_ProfileId} | As created via 'Personal server: Create virtual smartcard key' |
| smartCardId |
| ${Card_VscId} | As created via 'Personal server: Create virtual smartcard key' |
| boxId |
| ${boxId} | The boxId that was created with 'Personal server: Request PIN reset on virtual smartcard' |
| response |
| ${encryptedChallenge} | The challenge received in the callback of 'Personal Server: Request PIN Reset on Virtual Smartcard' encrypted with the card manager key of this VSC using 'Credentials: Calculate Minidriver Offline Unblocking Response'. |
Description
Use this task to start a connection to Hermod. Once the connection is established you receive a bid (boxId) and a plugoutUrl which can be used to start a client tool (so far only Nexus Personal) and connect it to the given boxId at Hermod.
Configuration
To use this task, configure the following delegate expressing in your service task:
${hermodStartConnectionParametrizedTask}
The following parameters can be configured in PRIME Designer:
| Parameter | Mandatory | Default value | Description |
|---|---|---|---|
lifespan |
| 300 | |
| timeout |
| 250 | |
| boxId |
| The datamap field into which the boxId shall be inserted | |
| plugoutUrl |
| The datamap field into which the plugout url shall be inserted | |
| messageToUser | - | An optional message to the user which will be displayed in the client application. | |
| messageName | - | In case of passing script commands into the start connection request, a callback will be triggered once the scripts has executed successfully. This field describes the name of the bpmn MessageCatchEvent. |