Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

 Personal Messaging: Create Key on Personal Mobile

Description

Use this task to provision a new profile or update an existing one, overwriting existing keys. The task will create the keys needed for the "Personal Messaging: Install Certificates on Personal Mobile" task.

The task will generate the following PKCS#10 request templates:

  • Signature Certificate (optional)
  • Authentication Certificate (optional)
  • Device Encryption (used to secure the communication with Personal Mobile)

These requests will then be sent to the mobile phone and transformed into new PKCS#10 requests (with keypairs generated on the client but keeping all subject data). The new requests will then be sent to the message catching intermediate event identified by the parameter 'messageName'. PRIME will put these PKCS#10 requests into the process map under the keys "SIG_P10_VAR", "AUTH_P10_VAR" and "DEVICE_ENC_P10_VAR". In case a new profile was created, PRIME will also put the new profileId into the process map under the key "profileId".

After this task is executed, you need to request certificates using the requests stored in the process variables "SIG_P10_VAR", "AUTH_P10_VAR" and "DEVICE_ENC_P10_VAR" before proceeding to "Personal Messaging: Install Certificates on Personal Mobile" task. Store the requested certificates into the process map.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodKeyCreationTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryValueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.

messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
userid


UserId for Personal Messaging. This will be shown to user on the mobile phone, to verify the correct data is provided.
errorMessageField

Example value:

  • ErrorMessage
Process variable to put the error message in case of failure.
errorTypeField

Example value: 

  • ErrorType
Process variable to put the error type in case of failure.
signCertificateTemplate-


Signature certificate template.
authCertificateTemplate-


Authentication certificate template.
profileName

If new profile

leave empty (when updating a profile)

Profile name for Personal Messaging. Will be displayed in the Personal Mobile App. Leave empty if you want to update an existing profile.
serverName

 If new profile


Name of the server that issued the provisioning request.
qrResultField

 If new profile

Example value:

  • QR_CODE_VAR
Process variable to put the resulting url. This url may be converted to a QR-Code for the Personal Mobile App by using GenerateQRCodeParametrizedAction.
profileId If update profile

leave empty (for new profile)

Id of the Personal Mobile profile that will be updated with new keys. Leave empty if you want to provision a new profile.

storagePriority-

Valid values:

  • APP (for Personal Mobile, default)
  • MDM (for Mobile Iron device)
Storage priority of certificates.
 Personal Messaging: Install Certificates on Personal Mobile

Description 

This task requests and installs certificates that were prepared using the "Personal Messaging: Create Key on Personal Mobile" task.

As a prerequisite

  • you must already have requested certificates with the authentication and signature certification requests generated by the "Personal Messaging: Create Key on Personal Mobile" task and stored them as process variables.
  • if you want to perform certificate recovery, you must prepare the data for that using the prepareDataForCertificateKeyRecoveryTask.

Use this task to install a number of certificates on the mobile phone:

  • Signature Certificate, will be bound to the key pair created by 'Personal Messaging: Create Key on Personal Mobile'.
  • Authentication Certificate, will be bound to the key pair created by 'Personal Messaging: Create Key on Personal Mobile'.
  • Device Encryption Certificate, will be bound to the key pair created by 'Personal Messaging: Create Key on Personal Mobile'.
  • Encryption Certificate created with key archival.
  • Any number of recovered certificates.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodInstallCertificatesTask}

The following parameters can be configured in PRIME Designer: 

ParameterMandatoryValueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.

messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
userid


UserId for Personal Messaging. This will be shown to user on the mobile phone, to verify the correct data is provided.
errorMessageField

ErrorMessage

Process variable to put the error message in case of failure.
errorTypeField

ErrorType

Process variable to put the error type in case of failure.
signatureCertificate-

${SIG_VAR}

The signature certificate.
authenticationCertificate-

${AUTH_VAR}

The authentication certificate.
deviceEncryptionP10

${DEVICE_ENC_P10_VAR}

The PKCS#10 request for the Device Encryption Certificate, created by the "Personal Messaging: Create Key on Personal Mobile" task.
profileId

${profileId}

The id of the profile under which to store the certificates. This is initially provided by the 'Personal Messaging: Create Key on Personal Mobile' task.
serverName


Name of the server that issued the provisioning request.
encryptionCertificate-
Encryption certificate template.
recoveryCertificate-
Recovery certificate template.
processVariable-
Variable name which holds Core object ids list or Core object descriptor list of certificates to be recovered.
p12PasswordField


Reference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords.
storagePriority-

Valid values:

  • APP (for Personal Mobile, default) 
  • MDM (for Mobile Iron device)
Storage priority of encryption certificate. Accepted values are APP (for Personal Mobile) and MDM (Mobile Iron device). 
 Personal Messaging: Create Key on Virtual Smart Card

Description

Use this task to create up to three template PKCS#10 requests that can be used to request certificates needed for the "Personal Messaging: Install Certificates On Virtual Smart Card" task.

Use this task to create up to three template PKCS#10 requests:

  • Signature Certificate (if template name is provided)
  • Authentication Certificate (if template name is provided)
  • Device Encryption (always, used to secure the communication with Personal Desktop App)

These requests will then be sent to Personal Desktop App and transformed into new PKCS#10 requests (with keypairs generated on the client but keeping all subject data). The new requests will then be sent to the message catching intermediate event identified by the parameter 'messageName'. PRIME will put these PKCS#10 requests into the process map under the keys "SIG_P10_VAR" and "AUTH_P10_VAR".

This task can only provision a new profile - updating an existing profile is currently only supported in Personal Mobile at this time, not in Personal Desktop App.

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodKeyCreationTask}

The following parameters can be configured in PRIME Designer: 

ParameterMandatoryValueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.

messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
userid


UserId for Personal Messaging. This will be shown to user on the mobile phone, to verify the correct data is provided.
errorMesageField

ErrorMessage

Process variable to put the error message in case of failure.
errorTypeField

ErrorType

Process variable to put the error type in case of failure.
signCertificateTemplate-
Certificate template of the signature certificate.
authCertificateTemplate-
Certificate template of the authentication certificate.
profileName


Profile name for Personal Messaging. Will be displayed in Personal Desktop.
serverName


Name of the server that issued the provisioning request.

plugoutResultField

plugoutUri

Process variable to put the resulting Personal Plugout URI that will open Personal Desktop App on the client machine.
adminKey

${Card_CardManagerKey}

The secret field reference of 24-byte 3DES admin key in HEX format. The key can also be set directly as plain hex value for testing.

Note: Personal Desktop's own default is 123456781234567812345678123456781234567812345678, but you must make sure PRIME always defines the value!

smartCardId

${Card_VscId}

Virtual smartcard id. Usually it will be created via a dedicated number-range.
provisionReader

CreateTPM

CreateTPM (create a new VSC on the TPM) / FreeTPM (use first free VSC on the TPM) / 0TPM / 1TPM / ... / 15TPM (use specific VSC on the TPM).

The value is passed as-is to Personal Desktop App.

Creating a new VSC with Personal Desktop App requires it to run with a local admin account - this is not needed for using a pre-created VSC.

Pre-created VSCs are required to have the Tpmvscmgr default admin key of 010203040506070801020304050607080102030405060708 see https://docs.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr - this admin key will be overwritten with the one specified in the adminKey parameter listed above.

You can create a new VSC with this command as admin user: TpmVscMgr create /name MyVSC /pin default /adminkey default /generate [optional params go here]

This will also set the PIN to 12345678 (Personal Desktop App currently does not reset the PIN - use /pin prompt to set a custom PIN).

Also the PIN policy is defined through TpmVscMgr (see link above for optional /pinpolicy  parameter docs and the respective defaults).

pinMinLength

Example value:

  • 6
Min. length of the VSC PIN (Windows API allows 4-127 characters,
see https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardpinpolicy.minlength)
pinMaxLength

Example value:

  • 15
Max length of the VSC PIN (Windows API allows 4-127 characters,
see https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardpinpolicy.maxlength)
pinUppercase

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether uppercase chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinLowercase

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether lowercase chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinDigits

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether digits in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinSpecialChars

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether special chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
oldAdminKey-


This field only makes sense in case the "FreeTPM" provisionReader is configured. If provided, it will change the VSC's admin key. "oldAdminkey" must hold the old admin key and "adminKey" must hold the new admin key.

For example, default admin key of 010203040506070801020304050607080102030405060708 when you create VSC from Tpmvscmgr tool.

storagePriority-

Valid values:

  • TPM (for Personal Mobile, default)
  • OS (Windows key storage)
Storage priority of keys.
 Personal Messaging: Install Certificates on Virtual Smart Card

Description

This task requests and installs certificates that were prepared using the "Personal Messaging: Create Key on Virtual Smart Card" task.

As a prerequisite

  • you must already have requested certificates with the authentication and signature certification requests generated by the "Personal Messaging: Create Key on Virtual Smart Card" task. Store the certificates as process variables.
  • if you want to perform certificate recovery, you must prepare the data for that using the prepareDataForCertificateKeyRecoveryTask.

Use this task to install a number of certificates on the mobile phone:

  • Signature Certificate, will be bound to the key pair created by 'Personal Messaging: Create Key on Virtual Smart Card'.
  • Authentication Certificate, will be bound to the key pair created by 'Personal Messaging: Create Key on Virtual Smart Card'.
  • Device Encryption Certificate, will be bound to the key pair created by 'Personal Messaging: Create Key on Virtual Smart Card'.
  • Encryption Certificate created with key archival.
  • Any number of recovered certificates.

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodInstallCertificatesTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryValueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.

messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
userid


UserId for Personal Messaging. This will be shown to user on the mobile phone, to verify the correct data is provided.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
signatureCertificate
${SIG_VAR}The signature certificate.
authenticationCertificate
${AUTH_VAR}The authentication certificate.
deviceEncryptionP10

${DEVICE_ENC_P10_VAR}The PKCS#10 request for the Device Encryption Certificate, created by the "Personal Messaging: Create Key on Virtual Smart Card" task.
profileId

${profileId}The id of the profile under which to store the certificates. This is initially provided by the 'Personal Messaging: Create Key on Virtual Smart Card' task.
serverName


Name of the server that issued the provisioning request.

encryptionCertificate

Encryption certificate template.
recoveryCertificate

Recovery certificate template.
processVariable

Variable name which holds Core object ids list or Core object descriptor list of certificates to be recovered.
p12PasswordField


Reference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords.
smartCardId

${Card_VscId}Virtual smartcard id. Usually it will be created via a dedicated number-range.
storagePriority-

Valid values:

  • TPM (for Personal Mobile, default)
  • OS (Windows key storage)
Storage priority of Encryption certificate. 
 Personal Messaging: Delete Virtual Smart Card Profile

Description

Use this task to delete a virtual smart card profile managed by Personal Desktop App on a TPM and also to delete all Personal Messaging mailboxes for a specific user id.

This task can be used in the following ways:

Delete Virtual Smart Card profile on Personal Desktop App and Personal Messaging

To do this, specify a specific profile id and set the confirmation flag to true. All other parameters must be provided as well.

This task can be executed on a smart card profile which contains information about smart card id, profile id and card manager key (admin key).

The request will be sent to Personal Desktop App, which will delete the profile identified by the specified profile id and smart card id. Personal Desktop App will also change the card's admin key to the new value provided. The result will be sent to the message catching intermediate event identified by the parameter 'messageName'. After receiving a successful response from Personal Desktop App, Personal Messaging also deletes the mailbox and forwards the same response back to PRIME.

Delete mailbox on Personal Messaging only

To do this, set the confirmation flag to false. Smart card id and keys can be omitted.

Personal Messaging will delete either a specific mailbox when a profile id is provided or all mailboxes of the specified user id when the profile id is absent. The profiles themselves within Personal Desktop App will be retained, as the deletion request will not be forwarded to Personal Desktop App.

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodDeleteProfileTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.
messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId

when confirmation flag is true

${Card_ProfileId}

Id of the profile to be deleted, as created via 'Personal Messaging: Create Virtual Smart Card Key'.

smartCardId

when profileId provided and confirmation flag is true

${Card_VscId}Id of the virtual smartcard, as created via 'Personal Messaging: Create Virtual Smart Card Key'.
plugoutUrl

when profileId provided and confirmation flag is true

plugoutUrl

Process variable to put the resulting Personal Plugout URI that will open Personal Desktop App on the client machine.

userid

${Person_Email}

UserId for Personal Messaging. This is shown to the user on the mobile phone, to verify that the correct data is provided.
adminKey

when profileId provided and confirmation flag is true


The secret field reference of the new 24-byte 3DES admin key to be set, in HEX format. The key can also be set directly as plain hex value for testing.

oldAdminKey

when profileId provided and confirmation flag is true

${Card_CardManagerKey}

The secret field reference of the 24-byte 3DES current admin key, in HEX format. The key can also be set directly as plain hex value for testing.

confirmation

true

Messaging Server will forward the delete profile request to Personal Desktop App when this set to true.

 Personal Messaging: Start Connection for Personal Desktop App Scripting

Description

Use this task to start a connection to Personal Messaging. With this connection, scripts can be executed. Finally, the connection needs to be closed.

Once the connection is established you receive a boxId and a plugoutUrl which can be used to start Personal Desktop App and connect it to the corresponding box on Personal Messaging.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodStartConnectionParametrizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.
boxId


Process variable to put the boxId.
plugoutUrl


Process variable to put the plugout url.
messageToUser

An optional message to the user which will be displayed in Personal Desktop App.
messageName

The name of the intermediate message catching event that will be triggered by Personal Messaging.
 Personal Messaging: Execute Script in Personal Desktop App

Description

Use this service task to execute a script in Personal Desktop App. The script needs to be passed as a JSON array (for example: [{"type":"APDU", "data":"00A4040000", "response":".*(9000)"}]

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodExecuteScriptParametrizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.
boxId


Process variable to put the boxId.
scriptCommands


Process variable containing the script commands. The commands need to be formatted as a JSON array (for example: [{"type":"APDU", "data":"00A4040000", "response":".*(9000)"}])
messageToUser

An optional message to the user which will be displayed in Personal Desktop App.
messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
 Personal Messaging: Close connection for Personal Desktop App Scripting

Description

Use this service task to close a scripting connection to Personal Messaging.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodEndConnectionParametrizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.
boxId


Process variable to put the boxId.
messageToUser

An optional message to the user which will be displayed in Personal Desktop App.
messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
 Personal Messaging: Initiate PIN Reset on Virtual Smart Card

Description

Use this task to initiate a pin reset on a virtual smart card.

Once the operation is confirmed by the user through the Personal Desktop App, PRIME will receive a challenge that needs to be encrypted via the card manager key in order to authorize the pin reset. The challenge will be set in the process variable "challenge".

After this task is executed, use the "Credentials: Calculate Minidriver Offline Unblocking Response" task to encrypt the challenge stored in the process variable "challenge" and store the encrypted challenge in the process variable "encryptedChallenge". Then you can proceed to the "Personal Messaging: Complete PIN Reset on Virtual Smart Card" task.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodStartPinResetTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault ValueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.

messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
userid

 ${Person_Email}

UserId for Personal Messaging. This is shown to the user on the mobile phone, to verify that the correct data is provided.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId

 ${Card_ProfileId}Id of the profile whose pin to change, as created via 'Personal Messaging: Create Virtual Smart Card Key'.
smartCardId

 ${Card_VscId}Id of the virtual smartcard, as created via 'Personal Messaging: Create Virtual Smart Card Key'.
boxId

 boxIdProcess variable to put the boxId. This will be needed to complete the PIN reset.
plugoutUrl

 plugoutUrl

Process variable to put the plugout url.

 Personal Messaging: Complete PIN Reset on Virtual Smart Card

Description

Use this task to complete a pin reset on a virtual smart card. Once the PIN is reset by the Personal Desktop App, PRIME will receive an event indicating success or failure of the operation.

As a prerequisite you must have encrypted the challenge received in the "Personal Messaging: Initiate PIN Reset on Virtual Smart Card" task

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodEndPinResetAction}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault ValueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.

messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId

${Card_ProfileId}Id of the profile whose pin to change, as created via 'Personal Messaging: Create Virtual Smart Card Key'.
smartCardId

${Card_VscId}Id of the virtual smartcard, as created via 'Personal Messaging: Create Virtual Smart Card Key'.
boxId

${boxId}The boxId that was created with 'Personal Messaging: Request PIN Reset on Virtual Smart Card'
response

${encryptedChallenge}The challenge received in the callback of 'Personal Messaging: Request PIN Reset on Virtual Smart Card' encrypted with the card manager key of this VSC using 'Credentials: Calculate Minidriver Offline Unblocking Response'.
 Personal Messaging: Send Ping Request to Personal Desktop App

Description

Use this task to retrieve profile and device information of virtual smart cards that are managed by Personal Desktop App.

You can request information of a virtual smart card or of a single virtual smart card profile.

The task will put a "commandId" value into a process variable which must be used for polling the response using "Personal Messaging: Poll Ping Response from Personal Messaging".

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodPingRequestTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault ValueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId



If provided, restrict requested information to this profile. ProfileId values are created in the 'Personal Messaging: Create Virtual Smart Card Key' task.
plugoutUrl

 plugoutUrl

Process variable to put the plugout url.

userid


tmp

UserId for Personal Messaging. If a profileId parameter is set, this must match the userid provided when the profile was requested. Otherwise any value will do.

deviceInfo

true

Request device information.

profileInfo

true

Request profile information.

commandId

commandIdProcess variable to put the commandId value, which is needed for polling in the "Personal Messaging: Poll Ping Response from Personal Messaging" task.
 Personal Messaging: Poll Ping Response from Personal Messaging

Description

Use this task to poll a ping response from Personal Messaging based upon the 'commandId' (which was created at the ping request to Personal Messaging).

Execute this task after a ping request to Personal Messaging. It polls the message from Personal Messaging, based upon the provided command id. After receiving the response from Personal Messaging it stores the profile and device Information into configured service task parameters. 

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodPingResponsePollingTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault ValueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
commandId

${commandId}CommandId which was received by the "Personal Messaging: Send Ping Request to Personal Desktop App" task, needed for polling.
profileInfo

profileInfoProcess variable to put the profile information.
deviceInfo

deviceInfoProcess variable to put the device information.

  • No labels