Document toolboxDocument toolbox

Certificates - Standard service tasks in Identity Manager

This article includes updates for Smart ID 23.10.6.

Cert: Certificate Publication via CM

Description 

Use this task to trigger a republishing or unpublishing action for a specific certificate on the Smart ID Certificate Manager (CM) based on the configured publication procedure.

Configuration

To use this task, configure the following delegate expression in your service task:

${certificatesPublicationTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

publicationProcedure

 

Example value:

  • CertEP CA Certificate to AD (Enrollment Services)

Publication procedure defined on Smart ID Certificate Manager (CM).

serialnumberField

 

Certificate_CertSerial

Name of the field containing the serial number in the datamap.

DataPoolName_Certificate

 

Certificate

Datapool name of certificate.

serialNumberIsDecimal

-

Valid values:

  • true (default)

  • false

Indicates that the serial number is in decimal format already.

If this field is set to "false" or left out, the serial number will be interpreted as hex format.

Cert: Create ACME pre-registration order

Description

Use this task to create an ACME pre-registration order in Smart ID Certificate Manager (CM). You need to use Smart ID Certificate Manager 8.1 or later.

If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.

Configuration

To use this task, configure the following delegate expression in your service task:

${acmePreRegistrationTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

hmackey

 

 

The shared secret to secure the further communication

keyid

 

 

Identifies the account

alloweddomains

-

 

A comma-separated list of domains, that the account is allowed to order certificates for.

certificateTemplate

 

 

Defines the CA connection and the certificate procedure for pre-registration. For details concerning the procedure, see Example: ACME configuration in Protocol Gateway.

Cert: Create CMP order request

Description 

Use this task to register or de-register CMP order requests in Smart ID Certificate Manager (CM).

The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) CMP enrollment request from specified clients. This service task parameters can be extended for other certificate attributes, which are listed below.

If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.

Configuration

To use this task, configure the following delegate expression in your service task:

${cmpOrderRequestTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

certTemplate

 

Example:

  • MyCmpRegTemplate

Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information.

commonName

 

Example value:

Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed.

It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.Example Domain "

password

-

 

Optional password used to verify CMP enrollment requests sent by clients later. So it will be the same password which will be used by clients in CMP enrollment request.

state

 

Valid values:

  • Open (default)

  • Closed

This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM).

It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default.

validity

-

Valid values:

  • always (default if not set)

  • number of days

Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set.

 

Cert: Create EST order request

Description 

Use this task to register or de-register Enrollment over Secure Transport (EST) order requests to Smart ID Certificate Manager (CM).

The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) EST enrollment request from specified clients. This service task parameters can be extended for other  certificate attributes which is listed below.

If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.

Configuration

To use this task, configure the following delegate expression in your service task:

${estOrderRequestTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

certTemplate

 

Example value:

  • ScmCtServerCertificateP10

Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information.

commonName

 

Example value:

Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed.

It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.Example Domain "

userName

-

 

User name which is allowed to make EST request.

password

 

 

Password is used to verify EST enrollment requests sent by clients later. So it will be the same password which will be used by clients in EST enrollment request.

state

 

Valid values:

  • Open (default)

  • Closed

This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM).

It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default.

validity

-

Valid values:

  • always (default if not set)

  • number of days

Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set.

realm

-

Example value:

  • est-realm

realm details

Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below.

  • country

  • commonname

  • emailaddress

  • dmd

  • givenname

  • initials

  • keyprocedureid

  • locality

  • organisation

  • organizationidentifier

  • pseudonym

  • title

  • uniqueidentifier

  • surname

  • telephonenumber

  • street

  • stateorprovince

  • postalcode

  • encoding

  • othernameoid

  • othernameencoding

  • othernamevalue

Following attributes can be provided as single value or multiple values as comma separated values.

  • organisationunit

  • postaladdress

  • sanemailaddress

  • ipaddress

  • dns

  • directory

  • uri

  • registeredid

Cert: Create SCEP order request

Description 

Use this task to register or de-register Simple Certificate Enrollment Protocol (SCEP) order requests to Smart ID Certificate Manager (CM). 

The task will be executed on server identities and use some details of the server identities for creating order request. The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration)  SCEP enrolment request from specified clients. This service task parameters can be extended for other  certificate attributes which is listed below.

Configuration

To use this task, configure the following delegate expression in your service task:

${scepOrderRequestTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

certTemplate

 

 

Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information.

commonName

 

 

Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed.

It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.Example Domain "

enrollReg

 

Valid values:

  • true

  • false

Registration enrolment flag (true/false).

password

 

 

Password is used to verify SCEP enrolment requests sent by clients later. So it will be the same password which will be used by clients in SCEP enrolment request.

cpmState

 

Valid values:

  • 1000

  • 1001

This value decides whether this is a registration or a de-registration order request at Smart ID Certificate Manager (CM).

Set to 1000 to trigger a registration, 1001 to trigger a de-registration. 

validity

 

Valid values:

  • always (default)

  • <number of days>

Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set.

emailAddress

 

 

Email address of the responsible person.

ipAddress

 

 

IP address of the server of machine.

serialNumber

 

 

Serial number of the device if available. It is not mandatory so it can be blank.

Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below.

  • country

  • commonname

  • emailaddress

  • dmd

  • givenname

  • initials

  • keyprocedureid

  • locality

  • organisation

  • organizationidentifier

  • pseudonym

  • title

  • uniqueidentifier

  • surname

  • telephonenumber

  • street

  • stateorprovince

  • postalcode

  • encoding

  • othernameoid

  • othernameencoding

  • othernamevalue

Following attributes can be provided as single value or multiple values as comma separated values.

  • organisationunit

  • postaladdress

  • sanemailaddress

  • ipaddress

  • dns

  • directory

  • uri

  • registeredid

 

Cert: Execute PKCS10 Request

Description

Use this task to send a PKCS#10 to the configured CA. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration.

Configuration

To use this task, configure the following delegate expression in your service task:

${executePKCS10RequestTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

P10RequestFormEntry

 

Example value:

  • p10input

Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file.

P10RequestFormResult

 

Example value:

  • certResult

Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.

P7ResponseField

-

Example value:

  • certChain

Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container.

certTemplate

 

Example value:

  • ScmCtServerCertificateP10

Certificate template name.

booleanResultWithPEMHeaders

-

Example value:

  • true

Configures whether the resulting certificate should be the utf-8  bytes of a PEM encoded certificate like 
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.

There are three types of BPMN error thrown when we have issue while requesting certificate from CA.

  • Error Code = CaConnectionFailed 

    • This BPMN Error code appears when we have any connection issue with CA.

  • Error Code = CaRequestFailed

    • This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.

  • Error Code = CommonError

    • This BPMN Error code appears when there is a problem with crafting the p10 request.

Cert: Execute Modified PKCS10 Request

In versions 3.12.5 and 20.06.0 this task was named Cert: Execute Plain Request with delegate expression ${executePlainRequestTask} .

Processes referencing the old expression have to be adjusted when updating to a newer version like 3.12.8 / 20.06.1 / 3.13.0.

Description

This task works with Smart ID Certificate Manager (CM) only. Other certificate authorities are not compatible.

Use this task to send a certificate request based on extracted PKCS#10 data (via Cert: Extract PKCS#10 Attributes From Request) combined with certificate template data. Mapped Certificate data-pool field values in the certificate template can be populated with extracted PKCS#10 data or set to custom values. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration.

Configuration

To use this task, configure the following delegate expression in your service task:

${executeModifiedPKCS10RequestTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

P10RequestFormEntry

 

Example value:

  • p10input

Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file.

P10RequestFormResult

 

Example value:

  • certResult

Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.

certTemplate

 

Example value:

  • ScmCtServerCertificateP10

Certificate template name.

booleanResultWithPEMHeaders

-

Example value:

  • true

Configures whether the resulting certificate should be the utf-8  bytes of a PEM encoded certificate like 
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.

P7ResponseField

        -

Example value:

  • certChain

Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container.

There are three types of BPMN error thrown when we have issue while requesting certificate from CA.

  • Error Code = CaConnectionFailed 

    • This BPMN Error code appears when we have any connection issue with CA.

  • Error Code = CaRequestFailed

    • This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.

  • Error Code = CommonError

    • This BPMN Error code appears when there is a problem with crafting the p10 request.

Cert: Extract Certificate Attributes

Description

Use this task to extract attributes from a certificate. 

Configuration

To use this task, configure the following delegate expression in your service task:

${extractCertAttributesTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Example Value

Description

Parameter

Mandatory

Example Value

Description

X509Field

 

Certificate_Data

The name of the field containing the certificate as binary data. It must be contained in the process map.

RSAPublicExponent

-

CERTpublicExponent

Field to store the public exponent of RSA certificates as BigInteger. Null for ECC certificates.

keySize

-

CERTkeySize

Field to store the key size of the certificate's public key as Integer.

keyType*

-

CERTkeyType

Field to store the keyType description. For EC keys this also includes the curve name. Note: the format is subject to change!

keyUsage*

-

CERTkeyUsage

Field to store the key usages.

extKeyUsage*

-

CERTextKeyUsage

Field to store the extended key usages.

hashAlgorithm*

-

CERThashAlgorithm

Field to store the hash algorithm name.

validFrom

-

CERTvalidFrom

Field to store the start date of the validity period as Date.

validTo

-

CERTvalidTo

Field to store the end date of the validity period as Date.

subjectDN

-

CERTsubjectDN

Field to store the subject distinguished name.

issuerDN

-

CERTissuerDN

Field to store the issuer distinguished name.

certSerialNumber

-

CERTserialNumber

Field to store the serial number.

cdpUrls*

-

CERTcdpUrls

Field to store a concatenated string of all CRL distribution point URLs in. They are comma-space-separated.

ocspUrls*

-

CERTocspUrls

Field to store a concatenated string of all OCSP responder URLs in. They are comma-space-separated.

caIssuerUrls*

-

CERTcaIssuerUrls

Field to store a concatenated string of all CA issuer URLs in.
They are comma-space-separated.

SAN_EMAIL

-

CERTsanEmail

Field to store the SAN email addresses.

SAN_UPN

-

CERTsanUpn

Field to store the SAN user principal names.

SAN_DNS

-

CERTsanDns

Field to store the SAN dns names.

SAN_IP

-

CERTsanIp

Field to store the SAN ip addresses.

SAN_URI

-

CERTsanUri

Field to store the SAN uniform resource identifiers.

SAN_GUID

-

CERTsanGuid

Field to store the SAN globally unique identifiers.

SAN_RID

-

CERTsanRid

Field to store the SAN registered IDs.

SAN_KRB5PRINCIPALNAME

-

CERTsanKrb5Principal

Field to store the SAN Kerberos 5 principal names.
The result is a "comma-space"-separated list of JSON objects, each representing one Kerberos 5 principal name, as shown in the example below:

{"realm":"DATACENTER","nameType":4,"nameComponents":["myservice","myhost"]}, {"realm":"DEV","nameType":1,"nameComponents":["alice"]}, {"realm":"DEV","nameType":1,"nameComponents":["bob"]}

NameTypes are defined in RFC-4120, section 7.5.8 .

GIVENNAME

-

CertDnGIVENNAME

Field to store the given name.

SURNAME

-

CertDnSURNAME

Field to store the surname.

NAME

-

CertDnNAME

Field to store the name.

GENERATION

-

CertDnGENERATION

Field to store the generation.

C

-

CertDnC

Field to store the country.

CN

-

CertDnCN

Field to store the common name.

L

-

CertDnL

Field to store the locality.

O

-

CertDnO

Field to store the organization.

OU

-

CertDnOU

Field to store the organizational unit.

ST

-

CertDnST

Field to store the state.

INITIALS

-

CertDnINITIALS

Field to store the initials.

TITLE

-

CertDnTITLE

Field to store the title.

E

-

CertDnEMAIL

Field to store the email adress (from DN).

PSEUDONYM

-

CertDnPSEUDONYM

Field to store the pseudonym.

DNQ

-

CertDnDNQ

Field to store the DN qualifier.

USER_ID

-

CertDnUSERID

Field to store the user ID.

TELEPHONE_NUMBER

-

CertDnTEL

Field to store the telephone number.

POSTAL_CODE

-

CertDnPOSTALCODE

Field to store the postal code.

POSTAL_ADDRESS

-

CertDnPOSTALADDR

Field to store the postal address.

STREET

-

CertDnSTREET

Field to store the street.

NAME

-

CertDnNAME

Field to st

UNIQUE_IDENTIFIER

-

CertDnUNIQUEID

Field to store the unique identifier.

SN

-

CertDnSERIAL

Field to store the DN serial number.

ORGANIZATION_IDENTIFIER

-

CertDnORGID

Field to store the organisation identifier.

DC

-

CertDnDC

Field to store the domain component.

If non-datapool target fields are used for extracted attributes, then you will run into problems when extracting multiple instances of the same attribute (e.g. multiple OUs).

Example:

Your DN is as follows: DN=hello, OU=firstOrg, OU=secondOrg

Your target variable for the OU parameter is: DnOrgUnit

This results in two variable assignments:

  • DnOrgUnit = firstOrg

  • DnOrgUnit_1 = secondOrg

The issue here is that DnOrgUnit_1 contains an underscore despite not being a Datapool-field.
This will cause it being misinterpreted as being field 1 of the datapool DnOrgUnit instead of a a standard process variable named DnOrgUnit_1.

To avoid this, either make sure all your target fields are datapool fields, or use additional service tasks that copy the values into proper named fields before further processing.

You can, for example, use the Process: Set Value of Variable in Process Map task and set the following parameters:

  • variableName: DNattrOU1

  • variableValue: ${DNattrOU_1}

In case of error

The following parameters are set in case of error:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

ExtractionResult*

-

Valid values:

  • success (default)

  • error

The value is default set to "success".

If one of the following errors occurs, the value is set to "error":

  • The field containing the certificate is empty.

  • One of the attributes exceeds 2000 characters (limitation by Activiti).

ExtractionResultErrorMsg*

-

Valid values:

  • "Certificate data is empty"

  • "The attribute 'xy' exceeded 2000 characters."

If one of the errors in "ExtractionResult" occurs, this variable is set to "Certificate data is empty" or to "The attribute 'xy' exceeded 2000 characters."

  • - These parameters require PRIME 3.12.4 or later.

Cert: Extract PKCS#10 Attributes From Request

Description

Use this task to extract all subject DN attributes, as well as the SAN attributes from a PKCS#10 request. The parameter value of P10RequestFormEntry has to match the symbolic name of the field in the PKCS10RequestEntryForm where the CSR file is uploaded. The extracted attributes will be put into the process data map under keys <valueOfP10RequestFormEntry><attributeName>, for example, PKCS10RequestFormEntryCn for the default value of P10RequestFormEntry and CN attribute or PKCS10RequestFormEntrySANEMAIL for San Email.

Configuration

To use this task, configure the following delegate expression in your service task:

${extractPKCS10AttributesFromRequestTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

P10RequestFormEntry

 

Example value:

  • p10input

Process variable containing the content of a CSR file as an array of bytes. The CSR file might be either PEM encoded or binary.

Extracted attributes

Subject DN attributes

Prefix

Result

Subject DN attributes

Prefix

Result

  • Email = E

  • Common Name = CN

  • Country = C

  • Organisation = O

  • Title = T

  • Surname = SURNAME

  • State = ST

  • Given Name = GIVENNAME

  • Organisation Unit = OU

  • Serial Number = SN

  • Unique Identifier = UID

  • Street = STREET

PKCS10RequestFormEntry

  • PKCS10RequestFormEntryE

  • PKCS10RequestFormEntryCN

  • PKCS10RequestFormEntryC

  • PKCS10RequestFormEntryO

  • PKCS10RequestFormEntryT

  • PKCS10RequestFormEntrySURNAME

  • PKCS10RequestFormEntryST

  • PKCS10RequestFormEntryGIVENNAME

  • PKCS10RequestFormEntryOU

  • PKCS10RequestFormEntrySN

  • PKCS10RequestFormEntryUID

  • PKCS10RequestFormEntrySTREET

SAN attributes

Prefix

Result

  • SAN EMAIL = SANEMAIL

  • SAN GUID = SANGUID

  • SAN DNS = SANDNS

  • SAN UPN = SANUPN

  • SAN IP = SANIP

  • SAN RID = SANRID

  • SAN KRB5PRINCIPALNAME = SANKRB5PRINCIPALNAME

PKCS10RequestFormEntry

  • PKCS10RequestFormEntrySANEMAIL

  • PKCS10RequestFormEntrySANGUID

  • PKCS10RequestFormEntrySANDNS

  • PKCS10RequestFormEntrySANUPN

  • PKCS10RequestFormEntrySANIP

  • PKCS10RequestFormEntrySANRID

  • PKCS10RequestFormEntrySANKRB5PRINCIPALNAME

    • The result is a "comma-space"-separated list of JSON objects, each representing one Kerberos 5 principal name, as shown in the example below:

      {"realm":"DATACENTER","nameType":4,"nameComponents":["myservice","myhost"]}, {"realm":"DEV","nameType":1,"nameComponents":["alice"]}, {"realm":"DEV","nameType":1,"nameComponents":["bob"]}

      NameTypes are defined in RFC-4120, section 7.5.8 .

Other attributes

Prefix

Result

  • Key size

  • Algorithm (+ curve)*

  • HashAlgorithm

  • (as boolean) = the signature is valid

PKCS10RequestFormEntry

  • PKCS10RequestFormEntryKeySize

  • PKCS10RequestFormEntryKeyType

  • PKCS10RequestFormEntryHashAlgorithm

  • PKCS10RequestFormEntrySignatureValid

*Extracting the curve name currently does not work if Identity Manager and Identity Manager Admin run on the same Tomcat instance due to a classloader issue with JCE providers. In that case only the algorithm name is shown ("ECDSA") without the curve appended.

Cert: Load Key History List

Description

Loads the certificate history of a user, as a list of the certificates' Core Object IDs, into the process map, in order to recover these certificates in a later step. The relevant certificates are identified by the <certTemplates> types and the ObjectRelations either directly to the user, or via a related card. The list is ordered by 'validTo'-date descending, and the number of provided certificates can be limited by <count>. The task is intended to be a simple way to implement standard recovery cases. More special cases can be done via SearchConfigurations. Recovery supports simple Core Object ID lists, like provided here, or CoreObjectDescriptor-lists provided by Processes: Execute Search Tasks.

SKI (Secure Key Injection): It will look for associated cards of the person and retrieve thumbprint information if the card ICCSN is provided in the process map. This thumbprint will be saved into the process map if it is available in the database. 

Configuration

To use this task, configure the following delegate expression in your service task:

${prepareDataForCertificateKeyRecoveryTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

certTemplates

 

 

A comma separated list of the certificate core template names of the certificates to be recovered.

count

 

 

Maximum number of certificate ids to be provided via this task.

processVariable

 

Certificate_CoreObjects or PcmDpCertificate_CoreObjects

Variable name in the process map, where the certificate Core Object IDs should be provided for subsequent recovery.

DataPoolName_Certificate

 

 

The datapool name of the Certificate core object.

DataPoolName_Person

 

 

The datapool name of the Person core object.

DataPoolName_Card

 

 

The datapool name of the Card core object.

ObjectRelationType

 

Example value: 

  • Default, Deputy

A comma separated list of related object types between Persons, Cards and Certificates (e.g. Default, Deputy).

When this value is provided then the task will load only a person's certificates with matching relations into the process variable, otherwise it will load certificates with all available relation types.

This is a general white-list, which does not distinguish between the objects involved in a relation, like Person<>Card, Person<>Certificate, Card<>Certificate, etc. Therefore you have to be very careful in constructing the relations to avoid accidental recovery of unwanted certificates.

Example

Let's assume that no direct Person<>Certificate relations exist (because no soft tokens and only cards were produced) and all Person<>Card relations use the type "Default". Then "Default" has to be part of the list. Otherwise no card could be found, and thus also no certificates of the card.

Let's also assume that some Card<>Certificate relations also use the type "Default", but you only want to recover those with type "User".

Then you will have a problem, because ObjectRelationType=Default, User will recover both types, and ObjectRelationType=User will recover nothing, as the parent relation between Person<>Card does not match.

To avoid this, make sure that all Card<>Certificate relations use a dedicated type. Soft token certificates related directly to a person will always use the default type, so they should not use the same certificate template as the ones on a card, if you do not want to include them.

 

To use this task, select it in Identity Manager Admin and configure the above parameters. No bean configuration is required. In a later action you must perform the Key Recovery.

Cert: PGP Soft Token

Description

Use this task to archive and/or recover PGP certificates from Smart ID Certificate Manager (CM).

When new certificates are requested, the values will be taken from the certificate template configured under "archivalTemplate". The following attributes can be set:

Attribute

Description

Attribute

Description

Common Name (CN)

Expression that defines the CN sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager.

Email (SAN_EMAIL)

Expression that defines the SAN_EMAIL sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager.

Surname (SURNAME)

Expression that defines the SURNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager.

Givenname (GIVENNAME)

Expression that defines the GIVENNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager.

Configuration

To use this task, configure the following delegate expression in your service task:

${executePgpSoftTokenAction}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

requestAndArchive

 

Valid values:

  • true (default)

  • false

If true, then a new PGP keys will be requested and archived (you cannot request new keys that are not archived)

passwordField

 

Person_PasswordRef

Name of secret field in which the password for encrypting the secret keyrings is provided

archivalTemplate

if requestAndArchive true

 PkiBoPgpCert

Name of the PGP archival certificate template configured in Identity Manager, must match the config of ${prepareDataForCertificateKeyRecoveryTask}

archivalSubjectSerialNumberPrefix

-

${Person_UPN}

Expression that defines an optional prefix for the generated subjectSerialNumber, so the final SSN may look something like this: "MyResolvedPrefixc97cb0de-
4774-454c-8568-82fbcd6ee710"

recover

 

Valid values:

  • true (default)

  • false

If true, then existing PGP keys for the user will be recovered

recoveryTemplate

if recover true

PkiBoPgpRecovery

Name of the PGP recovery certificate template configured in Identity Manager

certificatesForRecovery

if recover true

 Certificate_CoreObjects

Process var containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. 

mailDefinitionName

if publicKeyringsField and secretKeyringsField missing

 PGP Softtoken Mail

Name of the mail definition for the PGP softtoken mail (no mail will be sent if this is missing)

mailEncryptionCertificates

-

 Certificate_Enc

Process var containing the core object descriptor list of the certificates, which will be used to encrypt the softoken mail.

publicKeyringsField

if mailDefinitionName missing

PublicPgpKeyRefForDownload

Name of the process var into which to save the secret field reference of the ASCII-armored public keyring data (a new secret field entry is created and its ref saved to the processmap)

secretKeyringsField

if mailDefinitionName missing

 SecretPgpKeyRefForDownload

Name of the process var into which to save the secret field reference of the ASCII-armored secret keyring data (a new secret field entry is created and its ref saved to the processmap)

errorMessageField

 

ErrorMessage (default value)

Name of the process var into which the BpmnError message is saved if one is thrown

errorTypeField

 

ErrorType (default value)

Name of the process var into which the BpmnError type is saved if one is thrown

ssnsIssuedNotPropagatedField

 

SubjectSerialNumbersIssuedNotPropagated (default value)

Name of the process var into which a list of issued but not propagated subjectSerialNumbers is saved if a BpmnError is thrown (you could use this information to unpublish, this might require additional lookups in Smart ID Certificate Manager (CM), though)

Cert: Request & Recover PKCS#12 Soft Token

Description

Use this task to query a certificate from a certificate authority, put it into a PKCS#12 Container and either save it to secret field store or send it via email. There are two ways to query the data base:

  • Recover the certificates found in process variable.

  • Request a new certificate (using a plain request).

Both methods can be combined or used independently. If no certificate is queried the task will fail.

Due to [https://bugs.openjdk.java.net/browse/JDK-8214513] the generated PKCS#12 keystores can not be opened with java < 11.0.3 unless BouncyCastle (BC) is used as a KeyStore provider.

  • Windows can open the generated P12.

  • Java with Boucycastle can open the generated P12.

  • Java >= 11.0.3 without BC can open the generated keystores, however the encoding parameters selected in the softtoken task must be supported by the SUN KeyStore provider. The defaults are not supported. You must use for example:

    • Encryption algorithm: PBE with SHA-1 and 3-key triple DES with CBC (OID: 1.2.840.113549.1.12.1.3)

    • PRF: HMac with SHA-1 (OID: 1.2.840.113549.2.7)

    • Hashing algorithm: SHA-1 (OID: 1.3.14.3.2.26)

  • Nexus Personal Desktop Client can import the generated P12, however versions up to at least 5.2.3 require the weaker algorithms shown above for Java without BC

  • Nexus Smart ID Desktop App can import the generated P12, however versions up to at least 1.3.6 require the weaker algorithms shown above for Java without BC

Configuration

To use this task, configure the following delegate expression in your service task:

${executeSoftTokenRequestAndRecovery2}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

p12PasswordField

 

Example value:

  • Person_PasswordRef

Password variable field for the generated PKCS#12 container. There are actions to create one.

recoverCerts

 

Valid values:

  • true (default)

  • false

Whether recovery should be executed.

processVariable

If recoverCerts = true

Example value:

  • Certificate_CoreObjects

Process variable containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. 

recoveryTemplate

-

Example value:

  • Revocery

Certificate template used for recovery. Not necessary for some CAs.

requestCert

 

Valid values:

  • true (default)

  • false

Whether a new certificate should be requested (Plain request).

certTemplate

If requestCert = true

Example value:

  • MyCertTemplate

Certificate template used for requesting the new certificate.

includeChain

-

Valid values:

  • true (default)

  • false

If present and set to false, the certificate chain is skipped and only end-entity certificates will be included.

keyArchival

 

Valid values:

  • true (default)

  • false

Whether the created key are archived in the CA.

mailDefinitionName

-

Example value:

  • MyMailDefinition

If empty, no mail is sent.

encryptionCertificates

-

 

The core object descriptor list of the certificates used for email encryption.

p12RefField

-

Example value:

  • Person_Softtoken

Field to store PKCS#12 container in Base64 encoding.

errorMessageField

 

Example value:

  • ErrorMessage

Field to store the human readable message in case of error.

errorTypeField

 

Example value:

  • ErrorType

Field to store error type (ERROR, CA_ERROR or MAIL_ERROR).

certsToRevokeField

 

Example value:

  • CertsToRevoke

In case of error, the newly created certificates are stored as list of core object ids. These certificates can in turn be revoked by the process if desired.

p12EncryptionAlgo

-

Valid values:

  • PBE with SHA-1 and 3-key triple DES with CBC (OID: 1.2.840.113549.1.12.1.3)

  • AES 256 with CBC (OID: 2.16.840.1.101.3.4.1.42)

Default value:

  • AES 256 with CBC (OID: 2.16.840.1.101.3.4.1.42)

The encryption algorithm to use for the PKCS#12 keystore.

p12EncryptionIterations

-

Default value:

  • 100000

The encryption iterations

p12PseudoRandomFunction

-

Valid values:

  • HMac with SHA-1 (OID: 1.2.840.113549.2.7)
    HMac with SHA-256 (OID: 1.2.840.113549.2.9)

Default value:

  • HMac with SHA-256 (OID: 1.2.840.113549.2.9)

The PRF to use for the PKCS#12 keystore

p12HashAlgo

-

Valid values:

  • SHA-1 (OID: 1.3.14.3.2.26)

  • SHA-256 (OID: 2.16.840.1.101.3.4.2.1)

Default value:

  • SHA-256 (OID: 2.16.840.1.101.3.4.2.1)

The hashing (MAC) algorithm to use for the PKCS#12 keystore

p12HashIterations

-

Default value:

  • 100000

The hashing (MAC) iterations

Cert: Update Certificate State from CRL

Description

Use this task to update the certificate state against the certificate CRL distribution point. This task takes the CoreObjectDescriptor list for the Certificate object and updates each certificate state based upon the provided CRL distribution points. 

Configuration

To use this task, configure the following delegate expression in your service task:

${updateCertificateStateFromCRLTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

coreObjectDescriptorList

 

Example value (resolved from variable):

  • ${Certificate_CoreObjectDescriptors}

Core object descriptor list of the Certificate Object.

Revocation State Mapping

Revocation reasons must be configured in Identity Manager Operator before using this feature. Transitions must be aligned with the certificate state graph. Identity Manager validates the transition for each CRL entry based upon specified system property mapping and state graph.

Follow these steps in Identity Manager Operator to open the revocation reason mapping settings:

  1. Go to the ADMIN tab.

  2. Select Configure system properties.

  3. Select CA Revocation Reason Mapping

This configuration is tenant-specific, but not stategraph-specific.

It is highly recommended to use a common state graph for all certificate configs within one tenant.

Keep your certificate state graph as simple as possible to avoid ambiguities, as you can map from multiple IDM states to the same revocation reason, but for the reverse mapping of revocation reason to IDM state you have to pick a single value.

For example, if you have both inactive and locked as IDM states and they both map to the revocation reason unspecified, then you have to decide whether an incoming CRL entry with reason unspecified shall set the IDM state to inactive or locked.
In such a case it is best to consolidate to a single IDM state per relevant revocation reason.

Example:

Revocation state

Possible IDM Certificate state Mapping

Revocation state

Possible IDM Certificate state Mapping

Certificate or key compromised

inactive

Temporary revoked

temporary.inactive

Certificate superseded

inactive

Reason not specified

inactive

Remove certificate from list

active

Certification Authority compromised

inactive

 Information about certificate has changed

inactive

Certificate is no longer used

inactive

Right withdrawn

inactive

Cert: Revoke Certificate

Description

Use this task to revoke an existing certificate. This task needs to be executed on a Certificate object or with Certificate data available in the process map.

Configuration

To use this task, configure the following delegate expression in your service task:

${revokeCertificateTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

certificateDataPool

 

Example value (fixed):

  • Certificate

Example value (resolved from variable):

  • ${certDataPool}

Certificate data pool name. Default Certificate data pool is "Certificate".

targetState

 

Example value (fixed):

  • Temporary Inactive

Example value (resolved from variable):

  • ${certState}

Target state of certificate

Cert: Trigger PGP Certificates Publication

Description

Use this task to trigger a republishing or unpublishing action for a specific PGP certificate on Smart ID Certificate Manager (CM), based on the configured publication procedure.

PGP publication requires either CM 7.18.0 with hotfix 7.18.0.2 applied, CM 7.18.1 with hotfix 7.18.1.1 applied or any later version. Officially supported in PRIME 3.10.

Configuration

To use this task, configure the following delegate expression in your service task:

${pgpCertificatesPublicationTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

publicationProcedure

 

CertEP CA Certificate to AD (Enrollment Services)

Publication- or unpublication procedure defined on Smart ID Certificate Manager (CM).

serialnumberField

 

Certificate_CertSerial

Name of the field containing the serial number in the datamap. This is the subject serial number which Identity Manager assigns when requesting a PGP certificate. It is stored in place of an X509 certificate serial number in the Identity Manager certificate object.

DataPoolName_Certificate

 

Certificate

Datapool name of certificate.

 

Cert: Validate Certificate CRL OCSP

Description

Use this task to check against Online Certificate Status Protocol (OCSP)/Certificate Revocation Lists (CRL) that a certificate is valid. OCSP and/or CRL information must be included in a valid certificate. For OCSP, the issuer must be trusted by Identity Manager Operator.

The service task requires a valid path to the truststore. The name of the truststore should be prime.truststore. See system properties to change the path and filename of the truststore.

Configuration

To use this task, configure the following delegate expression in your service task:

${checkX509ValidityTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

Parameter

Mandatory

Value

Description

certificateBinary

 

Example value:

  • Certificate_Data

Field of the datamap where the certificates binary is placed.

isValidityConfirmed

 

Example value:

  • isValidityConfirmed

Name of the field where the result is written into the datamap.

Possible values:

  • true (Certificate validity confirmed)

  • false (Certificate validity not confirmed)

revocationDate

 

Example value:

  • revocationDate

Name of the field where the revocation date is written into the datamap if the certificate is revoked.

resultInfo

 

Example value:

  • resultInfo

Name of the field where the message from the validation result is written into the datamap.

The resultInfo can contain the following content:

  • The certificate is valid.

  • The certificate is revoked.

  • The certificate is invalid or could not be validated.

resultInfoOCSP

 

Example value:

  • resultInfoOCSP

Name of the field where the message from the validation result of the OCSP is written into the datamap (if available).

The resultInfoOCSP can contain the following content: 

  • OCSP_NO_AUTHORITY_INFO_ACCESS: No responder URI in the certificate.

  • OCSP_RESPONDER_UNREACHABLE: The OCSP responder is offline.

  • OCSP_CERTIFICATE_TO_BE_CHECKED_INVALID: CA or entity certificate is broken.

  • OCSP_INVALID_URL: The OCSP URL is invalid.

  • OCSP_INVALID_ANSWER: The OCSP response is broken.

  • CERT_STATUS_REVOKED: The certificate is revoked.

  • CERT_STATUS_UNKNOWN: The certificate is unknown.

 

resultInfoCRL

 

Example values:

  • resultInfoCRL

Name of the field where the message from the validation result of the CRL is written into the datamap (if available).

The resultInfoCRL can contain the following content: 

  • CERT_ERROR_CRLLOCATION: Could not fetch or create CRL from the given location.

  • CERT_REVOKED: The CRL check resulted in a revoked certificate.

  • CRL_ERROR_VERIFICATION: The CRL signature could not be verified because of a broken truststore.

  • CRL_UNTRUSTED: The CRL is untrusted.

  • CRL_ERROR_VERIFICATION: An exception was thrown while trying to verify the CRL signature.

  • CRL_COULD_NOT_BE_FETCHED_FROM_CDP_URI: The CRL could not be fetched from CDP URI.

 

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions