Published Release Notes

Integrated Application Security Checklist helps you deploy a secure application

Pega^® Platform now provides an Application Security Checklist that you can refer to when you prepare your application for deployment. By completing the recommended tasks in this checklist, you can track your progress, access instructional information for tasks, and verify that your configurations are secure.

For more information, see Preparing your application for secure deployment, Compliance Score tab, Designer Studio — Home page.

Encrypt sensitive case data by using a secure default Pega Platform cipher and AWS KMS keys

You can encrypt sensitive data within your application without having to write custom cipher classes. You can configure encryption on the Data Encryption landing page by using your own keys managed in your private Amazon Web Services Key Management Service (AWS KMS) instance. Pega^® Platform encryption uses keys that are stored in AWS KMS to support both time-based and on-demand key rotation. Technical issues can arise in some cases, for example, if a key is deleted from AWS KMS.

For more information, see Potential problems with keystores when using AWS KMS, Configuring a Platform cipher, Types of ciphers.

REST services support password credentials and JWT Bearer grant types

Pega^® Platform REST services now support password credentials and the JWT (JSON Web Token) Bearer grant type when you enable OAuth 2.0-based authentication. By using password credentials, you can quickly migrate clients from direct authentication schemes, provide additional flexibility when other grants are not available, and integrate your application with REST services in other applications. You can add compatibility with modern JWT-based cloud security IDPs by using the JWT Bearer grant type.

For more information, see About OAuth 2.0 Provider data instances, OAuth 2.0 Client Registration data instances - Completing the Client Information tab, Creating an Identity Mapping data instance.

Improvements to email case triaging

Improvements to Pega Intelligent Virtual Assistant™ (IVA) for Email make the system more robust and user friendly. When you reply to emails in a triage case, you can forward the email, reply to all, and use the carbon copy (cc) and blind carbon copy (bcc) fields. You can also send Pulse messages to discuss an email case without exposing the information to external users. You are notified in the Email Manager and Case Manager portal if you receive Pulse messages. Even when an email case has been resolved and appears as read-only, you can still send Pulse messages.

For more information, see Email Manager portal and Email triage.

All search data is encrypted

All search data in Pega Cloud deployments is now encrypted, both at rest and in transit. The encryption of search data makes search compliant with regulatory requirements.

For more information about search, see Full-text search.

Authentication service for basic credentials

A new type of authentication service is available for authenticating operators by using basic credentials (user ID and password). The default Pega Platform™ login is now an instance of this type of authentication service. All basic credentials authentication services include mobile authentication with the OAuth 2.0 protocol and Proof Key for Code Exchange (PKCE). You no longer have to create a custom authentication service to support mobile applications.

For more information, see Configuring a basic authentication service.

Unauthenticated sessions transition seamlessly to authenticated

A new authentication service type allows a guest user to use an application without logging in, and to be prompted to authenticate later in the session. This enhancement supports scenarios such as online shopping portals where a user can browse for items and load a shopping cart as a guest but be prompted for credentials at checkout.

For more information, see Configuring an anonymous authentication service.

Create single sign-on authentication services from App Studio

You can create and enable single sign-on (SSO) authentication services from a new landing page in App Studio. From this new landing page you can also configure new SAML and OpenID Connect authentication services to provision users. For more information, see Creating a SAML SSO authentication service and Creating an OIDC SSO authentication service.

Improvements to the Email channel configuration and content analysis

To make the Intelligent Virtual Assistant™ (IVA) for Email more useful and easier to manage, you can track all the Email channel configuration changes that you or other operators make. The system now also detects defined entities and topics, not only in the contents of the email messages and its attached files, but also in the email subject field which improves the responsiveness of IVA to emails. You can map same text that appears in an email triage case to different entities. In previous versions of Pega Platform, only the email body was analyzed but with subject analysis, now the entire email is analyzed for topics and entities, including its salutation and signature.

For more information, see Tracking configuration changes in the Email channel and Enabling the analysis of subject field content during email triage.

Protect against insecure deserialization

Deserialization is the process of rebuilding a data stream into a Java object. The Open Web Application Security Project (OWASP) has identified insecure deserialization as one of the top 10 security vulnerabilities for web applications. Pega Platform™ protects against this vulnerability by using filters that prevent deserialization of suspect data streams. You can configure these filters from the Deserialization Blacklist landing page.

For more information, see Configuring the deserialization filter.