Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Securely authenticating in Deployment Manager

Updated on February 4, 2021

Deployment Manager 5.1 now supports an OAuth 2.0 token-based authentication process for a more secure operator experience within the orchestrator and candidate environments. This authentication and authorization model provides many benefits, including the ability to audit user operations within Deployment Manager, as all actions are now connected to an operator ID instead of a generic authentication profile, such as DMReleaseAdmin.

Keystore and truststore setup

Enabling encryption between nodes secures the data that is transferred across nodes so that an unauthorized host cannot access the data. Create a keystore.jks for the private key and the associated certificate or certificate chain. Ensure that you have your keystore.jks and truststore.jks files readily available for upload before beginning this step.

Ensure that you save the alias and passwords used to create the JKS files as they are used to setup Deployment Manager. For more information on creating these files, see Creating the keystore.jks and truststore.jks files.

Deployment Manager establishes secure token-based communication with the Deployment Manager Service APIs. The key store and trust store configuration is setup to ensure the portal functions correctly.

On the orchestrator:

  1. In the navigation pane of Dev Studio, click Records Security Keystore.
  2. Open the DMKeyStore rule to upload the keystore and update the keystore password.
  3. Click Save.
  4. To enable communication from Deployment Manager:
    1. From Dev studio, open Token Profile from the Records menu and Security sub menu.
    2. Open the DeploymentManagerClientJWTProfile token profile rule.
    3. Under the Security section, ensure that the keystore refers to DMKeyStore.
    4. Update the alias that you defined when creating the keystore, and update the password to the password that you set when setting up the truststore.
    5. Click Save.
On candidate environments
  1. To establish communication between non-trusted systems:
    • Create and configure the DMKeyStore as you did on the orchestrator.
    • Update PegaDeploymentManagerIntegrations TrustStore dynamic system setting to DMKeyStore.


  1. What should I do if deployments are stuck INPROGRESS with a java.lang.IllegalArgumentException: Empty key error in the logs?
    • This is a known issue in Pega Platform 8.5.2 related to OAuth 2.0. As a workaround, perform the following steps.
      Note: This has been resolved in Pega Platform 8.5.2 as part of Hotfix-69607.
      1. Log in to Deployment Manager with the SUPERADMIN role.
      2. From the navigation pane, click Switch to Dev Studio Records explorer Security OAuth 2.0 Client Registration.
      3. Open DeploymentManagerClient client registration.
      4. Click Revoke access and refresh token.

Previous: Setting up candidate environments

Next: Configuring an application

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us