Upgraded PRIME to 3.11, see Upgrade Identity Manager.

For PRIME 3.11, the new service task Execute Search has replaced beans in several processes in PRIME. Some beans in all custom beans files have been removed. For more information on Execute Search, see Process - Standard service tasks in Identity Manager. 

To adapt to the new setup, the PRIME configuration must be modified. There are two options to do this: 

Option 1 - Manually update processes

1. In your current configuration, update the PRIME processes that are listed below. Compare each process with the corresponding process for 3.11 and update it accordingly. 

Smart ID Base module

BaseProcSaveEmployeeWithUniqueness					Save employee with unique email
BaseProcSaveVisitorWithUniqueEmail					Save visitor with unique email

*************************************************************************************

Smart ID Digital ID
									
PcmProcActivatePMProfile							Install certificates on mobile Id (was: Request PM certificates)
PcmProcContractorCardWithApproval                   Request contractor card
PcmProcContractorCardWithoutApproval                Create contractor card
PcmProcDeactivateContractor                         Deactivate contractor
PcmProcDeactivateEmployee                           Deactivate employee
PcmProcDeactivateEmployeeCard                       Deactivate employee card
PcmProcDeactivateVisitor                            Deactivate visitor
PcmProcEmployeeCardProduction                       Employee Card Production
PcmProcEmployeeCardWithApproval                     Request employee card
PcmProcEmployeeCardWithoutApproval                  Create employee card
PcmProcEmployeeTemporaryCard						Create employee temporary card	
PcmProcLockEmployeeCard								Lock employee card					
PcmProcLockEmployeeTempCard							Lock employee Temp Card
PcmProcLockPersonalMobile							Lock mobile Id
PcmProcLockPersonalX								Lock virtual smartcard
PcmProcProvisioningCertificateToVSC					Provisoning certificate to virtual smartcard
PcmProcReactivateEmployeeCard						Reactivate employee card 
PcmProcRenewEmployeeCard							Renew employee card
PcmProcRenewVirtualSmartcard					    Renew virtual smartcard
PcmProcRepeatEmployeeCardProduction					Repeat Employee Card Prod.
PcmProcReplaceEmployeeCard							Replace employee card
PcmProcReplaceVSC									Replace virtual smartcard
PcmProcUSSPEmployeeCardWithApproval					Request USSP-Employee card
PcmProcUSSPEmployeeCardWithoutApproval				Create USSP-Employee card
PcmProcWithdrawEmployeeTempCard						Withdraw Employee Temp Card
PcmSubProcCreationOfVSC								Creation of virtual smartcard
PcmSubProcMobileId									Subprocess Mobile Id
PcmSubProcReplaceEmployeeCard						Subprocess Replace employeecard

PstmProcProceedSoftwareTokenRequest					Proceed softtoken request		
PstmProcReplaceSofttokenUSSP						Replace softtoken
PstmProcRevokeAllSofttokenTypes						Revoke all softtoken types
PstmProcSendCertificatesToStand-In					Send encryption certificates to stand-in
PstmProcSubSubProcRenewSofttoken					Subprocess Renew softtoken												
PstmSubProcReplaceSofttokenUSSP						Subprocess Replace Softtoke USSP

*************************************************************************************

Smart ID Physical Access Module

BaseProcCreateActivateContractor					Create contractor
BaseProcCreateActivateEmployee						Create employee
BaseProcReactivateEmployee							Reactivate employee
BaseProcReactivateEmployeeWithRoleUSSP				Reactivate employee
PcmProcActivateContractorCard						Activate employee card
PcmProcActivateEmployeeCard							Activate employee card
PcmProcAssignNonPersonalCard						Assign non personal card
PcmProcAssignNonPersonalCardToEmployee				Assign Non Personal Card To Employee
PcmProcDeactivateContractor							Deactivate contractor
PcmProcDeactivateContractorCard						Deactivate contractor card
PcmProcDeactivateEmployee							Deactivate employee
PcmProcDeactivateEmployeeCard						Deactivate employee card
PcmProcLockContractorCard							Lock contractor card
PcmProcLockEmployeeCard								Lock employee card
PcmProcReactivateEmployeeCard						Reactivate employee card
PcmProcReactivateEmployeeWithRoleUSSP				Reactivate employee with Role USSP
PcmProcReplaceEmployeeCard							Replace employee card	
PcmProcWithdrawNonPersonalCard						Withdraw non personal card
PcmSubProcReplaceEmployeeCard						Subprocess Replace employee card

PemProcCreateAccessRule								Create access rule
PemProcDeleteAccessRule								Delete access rule
PemProcDeleteGroup									Delete group
PemProcEditAccessRule								Edit access rule
PemProcWithdrawGroupMembership						Withdraw group membership
PemSubProcGenerateExpression						Subprocess Generate expression

Option 2 - Enable PRIME 3.11 to work with the previous custom-beans

1. Take a backup of the existing custom beans files in this folder:
   

   Example: custom beans file folder

   <...>\webapps\prime_explorer\WEB-INF\classes\spring 

2. Copy the following custom beans files: 
   

   These files are only to be used when upgrading PRIME to 3.11. 

   custom-beans-PSTM.xml
   custom-beans-PEM.xml
   custom-beans-PCM.xml
   custom-beans-BIM.xml
   custom-beans-SCM.xml

3. Place the files in this folder:

   Example: custom beans file folder

   <...>\webapps\prime_explorer\WEB-INF\classes\spring 

4. If you had created your own beans, copy them from the old to the new custom beans files. 
5. Restart Tomcat. 

As a successor solution for JPKIEncoder, PKI-only Card Encoding via "Production Task" can now be done via Personal Desktop App.

Therefore, the option JPKIEncoder in the Card Template configuration has been removed. The option Personal Desktop App is now available instead in the corresponding drop-down list.

If you currently use the JPKIEncoder, with previous PRIME releases, we recommend that you switch to Personal Desktop App. Configurations that are not changed after the update to PRIME 3.11 (and still have JPKIEncoder set) will fall back to a Card SDK Encoding.

PRIME Explorer now supports using Personal Desktop App for encoding in the Card Operation ("cardjob") task. This requires that the device ID in the the encoding description file (the DSC file) to be set to 8711 instead of the default 8710. Otherwise Card SDK will be used.

1. In the encoding description file, specify as follows:

   [Encoding]
   Type=1024,Chip
   Devices=8711
   ...

   Do not re-use encodings with device ID 8711 for card production with Card SDK. This ID is not supported by the Card SDK and will cause errors.

For PRIME Self-Service, the device ID is irrelevant as it only supports chip encodings via Personal Desktop App.

The EJBCA connector has been changed to an integrated connector, similar to all the other PKI connectors. The separate WAR file is no longer available. Customers using the old connector in previous releases have to change their configuration:

1. Open the corresponding connection in PRIME Designer > Certificate Authorities.
2. Select EJBCA in the Connection Type drop-down list.
3. Upload the configuration file, enter Host name and Officer PIN according to the instructions in Integrate Identity Manager with EJBCA connector.

A sample configuration file is available in the PRIME modules ZIP in the subfolder "ca_connector_configs".

The configuration of the DataSyncProxy on client/customer side has been changed.

The custom.properties file from the previous releases has been replaced by the data_sync_proxy.yaml file. A sample is part of the release.

See also Smart ID Agent (DataSyncProxy) in Identity Manager for more information.

To keep the old behavior for the service task Core Objects: Create Relation when upgrading PRIME to 3.11 you must do these parameter changes:

See also this article:

• Configuration for PRIME 3.11: 3.11 - Core Objects - Standard service tasks

To keep the old behavior for the service task Core Objects: Drop Relation when upgrading PRIME to 3.11 you must do these parameter changes:

See also this article:

• Configuration for PRIME 3.11: 3.11 - Core Objects - Standard service tasks

It is recommended to maintain certificates and PKCS#10 requests in the process map as byte. Both certificates and PKCS#10 request can either be represented in their ASN.1 binary form or as utf-8 bytes of the PEM encoded form.

1. It is now required to get the data as byte for a number of tasks:
   1. Cert: Execute PKCS10 Request (${executePKCS10RequestTask}) 
      •  Attribute:
        • P10RequestFormEntry
   2. Cert: Extract PKCS#10 Attributes From Request (${extractPKCS10AttributesFromRequestTask})
      • Attribute:
        • P10RequestFormEntry
   3. Personal Messaging: Install Certificates on Personal Mobile (${hermodInstallCertificatesTask}) 
      
      • Attributes:
        • signatureCertificate
        • authenticationCertificate
        • deviceEncryptionP10
   4. Personal Messaging: Install Certificates on Virtual Smartcard (${pxVscHermodInstallCertificatesTask})
      • Attributes:
        • signatureCertificate
        • authenticationCertificate
        • deviceEncryptionP10
2. The binary form will now be emitted from a number of tasks:
   1. Cert: Execute PKCS10 Request (${executePKCS10RequestTask})
      •  Attribute:
        • P10RequestFormResult
   2. Personal Messaging: Create Key on Personal Mobile (${hermodKeyCreationTask})
      • Variables in the process map provided by the subsequent event:
        • SIG_P10_VAR
        • AUTH_P10_VAR
        • DEVICE_ENC_P10_VAR
   3. Personal Messaging: Create Key on Virtual Smartcard (${pxVscHermodKeyCreationTask})
      • Variables in the process map provided by the subsequent event:
        
        • SIG_P10_VAR
        • AUTH_P10_VAR
        • DEVICE_ENC_P10_VAR
3. It's also necessary to do a database update as a new table was introduced.

• Upgrade Identity Manager
• Smart ID Identity Manager
• Contact Nexus