Published Release Notes

Integrated Application Security Checklist helps you deploy a secure application

Pega^® Platform now provides an Application Security Checklist that you can refer to when you prepare your application for deployment. By completing the recommended tasks in this checklist, you can track your progress, access instructional information for tasks, and verify that your configurations are secure.

For more information, see Preparing your application for secure deployment, Compliance Score tab, Designer Studio — Home page.

Encrypt sensitive case data by using a secure default Pega Platform cipher and AWS KMS keys

You can encrypt sensitive data within your application without having to write custom cipher classes. You can configure encryption on the Data Encryption landing page by using your own keys managed in your private Amazon Web Services Key Management Service (AWS KMS) instance. Pega^® Platform encryption uses keys that are stored in AWS KMS to support both time-based and on-demand key rotation. Technical issues can arise in some cases, for example, if a key is deleted from AWS KMS.

For more information, see Potential problems with keystores when using AWS KMS, Configuring a Platform cipher, Types of ciphers.

REST services support password credentials and JWT Bearer grant types

Pega^® Platform REST services now support password credentials and the JWT (JSON Web Token) Bearer grant type when you enable OAuth 2.0-based authentication. By using password credentials, you can quickly migrate clients from direct authentication schemes, provide additional flexibility when other grants are not available, and integrate your application with REST services in other applications. You can add compatibility with modern JWT-based cloud security IDPs by using the JWT Bearer grant type.

For more information, see About OAuth 2.0 Provider data instances, OAuth 2.0 Client Registration data instances - Completing the Client Information tab, Creating an Identity Mapping data instance.

Support for the JSON Web Token Bearer grant type for accessing external APIs

You can now access external APIs by using the new OAuth 2.0 JSON Web Token (JWT) Bearer grant type, in an OAuth 2.0 authentication profile. To use the JWT Bearer grant type as a client assertion, source the JWT from an active SSO session, a token profile, or a property reference. You can use JWTs that you obtain during an OpenID Connect SSO in connectors, to achieve user impersonation flows, such as the On-Behalf-Of (OBO) flow. The OAuth 2.0 type authentication profile now also supports authentication of client applications by using Private Key JWTs.

Instances of the OAuth 2.0 provider are now deprecated. As a best practice, use the new, unified authentication profile configuration instead.

For more information, see Configuring an OAuth 2.0 authentication profile.

Upgrade impact

After an upgrade to Pega Platform 8.4 and later, Authentication Profiles can take advantage of the new JWT based OAuth 2.0 grant type and client authentication features. To take advantage of this and other new security features, you must update any existing Authentication Profiles formats must to use those in Pega Platform 8.4 and later.

What steps are required to update the application to be compatible with this change?

Since these features are available only for profiles created in Pega Platform 8.4 and later, clients must open and then save existing 'Authentication Profile' instances to ensure that the configuration is compatible with the latest authentication formats.

Sign and encrypt signatures and content with additional algorithms

You can now authenticate using JSON Web Token (JWT) token profiles to symmetrically and asymmetrically encrypt both signatures and content. All algorithms in the Nimbus JWT library are supported, including nested tokens. Custom key identifier headers (kid) are also supported. Use token profiles to securely propagate identities and transfer data between systems.

For more information, see Creating a processing JSON Web token profile.

For more information, see Creating a generation JSON Web token profile.

Custom application URL alias in the application definition

Create application URL aliases that support your ability to launch multiple Pega applications simultaneously in a single browser. This feature makes it easier for clients and your customers to log into multiple applications using the same browser and access them simultaneously. You configure your application URL alias in the application definition. For details, see Adding an application URL alias.

For more information, see Simplify access with an Application URL alias (8.4). 

Upgrade impact

After an upgrade to Pega Platform™ 8.4 and later, review to determine if and how you must update your application rules to reflect the current URL aliasing format. As part of these application rule updates, Pega also updated the URL format and value components of the clipboard property, pxRequestor.pxReqServletNameReal, which you can use to discover a servlet name. If your application uses this property to discover a servlet name, update the pxRequestor.pxReqServlet property in the application rule to use the new, required URL and value formats.

For details steps, see the section, Upgrading from Pega 8.3 or earlier: Guidelines for any required changes in your application URL aliasing, in the appropriate Pega Platform Upgrade Guide available at Deploy Pega Platform. 

What steps should the customer take to update their application?

After upgrading, you must update your JMeter test scripts. For detailed steps, see Updating JMeter test scripts after migrating to Pega 8.4.

Add the security checklist to applications created before 7.3.1

The security checklist is now automatically added to applications. You can manually add the security checklist to applications that were created in earlier versions.

You can improve the security of your application by completing the tasks on the checklist.

The following task reflects the procedure on how to manually add the security checklists to Designer Studio prior to 7.3.1:

1. In the header of Designer Studio, click the name of the application, and then click Definition.
2. Click the Documentation tab.
3. In the Application guides section, click Add guide.
4. In the Application guide& field, enter pxApplicationSecurityChecklist.
5. Click the Configure icon in the Available in column and select the portals (App Studio and Dev Studio) that you want to add the security checklist to.
6. Click Save.

Pega Express methodology in App Studio for successful Microjourneys

App Studio now supports the Pega Express™ methodology to help you visualize the key factors of your Microjourneys™ - case types, personas, and data objects. With Microjourneys, you can analyze and clearly communicate who the parties that interact with your cases are, what channels of communication they use, and what data they need to resolve a case. Associating personas and data objects with case types also helps you manage your development team's workload by using a list of the draft elements that they need to develop.

For more information, see Plan successful microjourneys in App Studio (8.4), Creating a microjourney for customer success.

Upgrade impact

During a Pega Infinity™ upgrade to 8.4 and later, clients using App Studio are asked to update their applications to support use of the Pega Express™ methodology. Without this application update, the Persona landing page and Data objects and integration landing page are empty. For more information, see Pega 8.4 Deep Dive: Pega Express methodology in App Studio.

What steps are required to update the application to be compatible with this change?

In order to utilize the Pega Express methodology in App Studio and use the Inventory page, click Start now to complete the update of your application and add the required rules to it. If you choose to cancel, App Studio continues to work as expected without the Pega Express methodology features; you can click Start now at the top of your application overview page at any time to install the required rules in your application.

Relationships between elements of Microjourneys in application inventory

A new Inventory page in App Studio helps you manage a delivery of your projects by giving you an overview of the elements of your application and how they interact with your Microjourneys™. The new Inventory page lists draft relationships between the case types, personas, and data objects that you want to implement through development. By checking releases that correspond to the items that you need to develop, you can prioritize your work accordingly. 

For more information, see Plan successful microjourneys in App Studio (8.4), Creating a Microjourney for customer success, Managing application inventory.

Upgrade impact

During a Pega Infinity™ upgrade to 8.4 and later, clients using App Studio are asked to update their applications to support use of the Pega Express™ methodology. Without this application update, the Persona landing page and Data objects and integration landing page are empty. For more information, see Pega 8.4 Deep Dive: Pega Express methodology in App Studio.

What steps are required to update the application to be compatible with this change?

In order to utilize the Pega Express methodology in App Studio and use the Inventory page, click Start now to complete the update of your application and add the required rules to it. If you choose to cancel, App Studio continues to work as expected without the Pega Express methodology features; you can click Start now at the top of your application overview page at any time to install the required rules in your application.

Expanded checks for Java injection vulnerabilities (8.4)

The Java injection vulnerability check feature has been enhanced in Pega Platform™ to further prevent Java injection, including Edit validate, Edit input, and JSP rules. Pega Platform reports errors at design time and run time, and does not run any rule that includes any of the following Java code:

• JavaCompiler
• new ProcessBuilder()
• org.dita.dost.invoker
• Runtime.getRuntime()

For more information, see Configuring the Java injection check.