The Credential Store is based on the Windows Data Protection API (DPAPI). DPAPI encrypts data using a private key derived from a user’s Windows identity. Once encrypted, data can only be decrypted by the same Windows user. For more information, see the Windows Data Protection article on the Microsoft website.
For more information about DPAPI and the encryption settings used by Pega Robot Studio and Pega Robot Runtime, as well as the SHA version that is used for your version of Windows, see Encryption settings for Pega Robotic Automation.
The following sections detail some frequently asked questions about the Credential Store:
Where are credentials stored?
Credentials are stored locally on the machine in an encrypted file in the user’s application data directory. The Credential Store does not use a central server.
For example, the path for credentials that are stored in version 19.1 and later is:
C:\Users\John Doe\AppData\Pegasystems\Pega Robot Studio\AppInfo
The following is an example path for credentials that are stored in version 8.0 SP1 and earlier:
C:\Users\John Doe\AppData\Roaming\Pegasystems Inc\OpenSpan Studio\AppInfo
How are credentials stored?
The Credential Store component persists the following strings: application name, user name, password and domain. DPAPI initially generates a strong key called a MasterKey, which is protected by the user's password. DPAPI uses a standard cryptographic process called Password-Based Key Derivation, described in the Password Based Encryption Standard (PKCS) #5, to generate a key from the password. This password-derived key is used with Triple-DES to encrypt the MasterKey, which is stored in the user's profile directory.
The MasterKey, however, is not used explicitly to protect the data. Instead, a symmetric session key is generated based on the MasterKey, some random data, and an additional hard-coded entropy string that Pega provides. The session key is never stored. Instead, DPAPI stores the random data it used to generate the key in the opaque data blob. When the data blob is passed back in to DPAPI, the random data is used to re-create the key and unprotect the data.
For security reasons, MasterKeys expire, which means that after a period of time, the hard-coded value being three months, a new MasterKey is generated and protected in the same manner. This expiration prevents an attacker from compromising a single MasterKey and accessing all of a user's protected data.
Can anyone view or decrypt stored credentials?
No. Only the user whose Windows identity was used to encrypt the data can decrypt it. Moreover, the additional entropy string supplied by Pega helps prevent other applications from decrypting the credential data.
Where is the software installed?
The Credential Store component is installed with Pega Robot Studio and Pega Robot Runtime. Pega Robot Studio is installed on developer desktops. Pega Robot Runtime is installed on solution user desktops.
How are passwords managed?
The Credential Store component is used by Pega Robot Studio developers when they create automations which are then deployed to the end-user desktop and executed by Pega Robot Runtime. Automations run independently on each end-user desktop and are not connected to a central management server following deployment. Developers can choose to enforce password management functions within their automations, but there is no server that centrally manages password rules.
How often does the user have to input their credentials?
The Credential Store component can persist credentials indefinitely. However, developers can choose to enforce password management functions within their automations, including periodically prompting for the re-entry or clearing of stored passwords. For instance, a developer can create an automation that initially prompts users for credentials the first time they log on. For subsequent logons, the automation automatically logs in the user until it detects that a login failed. Once a login has failed, the automation prompts the user to re-enter their credentials.
Does the software log who accessed credentials or who accessed the tool?
The client can enable local logging of the Pega Robot Runtime environment, which provides general log details. Optionally, you can use events to log extended or custom events. These events can be written to a central repository and can contain only the specific items that you want to see.
Is this software commonly deployed by other clients?
Yes. We have deployed this capability to several other clients. Implementation of the credential store varies from account to account depending on project requirements, internal security policies, and the infrastructure already in place.