Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Upgrade from PRIME 3.11 to PRIME 3.12

Owned by Ann Base (Deactivated)
Last updated: Jan 18, 2024 by Ylva Andersson
4 min read

This article is valid from Nexus PRIME 3.12

This article describes the steps that must be done when upgrading Nexus PRIME from version 3.11 to 3.12. The instructions cover relevant changes for standard features that can be used by configuration in PRIME Designer or configuration files. Customization changes in internal APIs etc are not included.

If you upgrade from a more previous version, you must do the upgrades step by step, that is, first upgrade from 3.10 to 3.11 and then from 3.11 to 3.12. If that is the case, see also Upgrade from PRIME 3.10 to PRIME 3.11.

Upgraded PRIME to 3.12, see Upgrade PRIME.

Upgrade information

The SAML implementation has been revised and significant changes have been done to simplify the configuration.

For that reason, there is no automated upgrade path for an existing SAML configuration. SAML authentication profiles from previous releases have to be deleted and re-configured when upgrading to 3.12.

For details on how to configure SAML in PRIME 3.12, see chapters "Configure SAML SSO Core Object profile" and "Configure SAML SSO LDAP profile" in Set up authentication profile.



With PRIME 3.12 the latest major release of Nexus Certificate Manager (CM), version 8.1, is supported. With CM 8, several changes have been done in the integration interfaces. A downgrade to older CM versions just by replacing corresponding CMSDK files, is no longer possible. It is therefore highly recommend to upgrade CM to version 8.1. If you cannot upgrade immediately, there is a backport patch to CM version 7.18.1. See separate instructions that are delivered with the patch for details.



All PRIME PKI connectors have been moved to the internal connector architecture. This was done already with the previous PRIME release. Therefore the old "External CA Connector" interface is no longer needed and it has been removed in the PRIME Designer configuration.

If you still have a PKI connected via this interface, you need to switch to the corresponding internal PRIME connector instead.



As part of external PKI connector cleanup, the old "trustserver" functionality has been changed. "trustserver" was used in early PRIME projects to store sensitive data (like PIN and PUK) in Nexus Certificate Manager. Since sensitive data now can be encrypted also in PRIME, the trustserver functionality is only kept for compatibility reasons for existing PRIME installations.

Therefore the standalone usage of "trustserver" is no longer supported. Only the "combined" approach (new secrets are stored in PRIME internally, fallback is to check trustserver) can be used with PRIME 3.12.

In earlier releases, this functionality required nexus_cm.properties configuration in PRIME Designer, PRIME Explorer and PRIME Tenant. The current implementation requires a trustserver.properties available in all three applications. But only PRIME Explorer needs a working configuration, see an example file below. In PRIME Designer and PRIME Tenant, the file can be empty.

Example of truststore.properties
# config for trustserver cmConnectorConfigName=InternalCMConnector caTokenProcedureStoreSecret=handleCardsSecrets caTokenProcedureRecovery=TP_RecoverKey caTokenProcedureImportCert=Import_MyCertificate certificateManagerIssuerIdentifier=CN=CM DEV Issuing CA, O=CM DEV, C=DE











Upgrade from PRIME 3.11.5 to 3.11.6

Upgrade from PRIME 3.12.14 to 3.12.16

Additional information





Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions