Support for the JSON Web Token Bearer grant type for accessing external APIs
Valid from Pega Version 8.4
You can now access external APIs by using the new OAuth 2.0 JSON Web Token (JWT) Bearer grant type, in an OAuth 2.0 authentication profile. To use the JWT Bearer grant type as a client assertion, source the JWT from an active SSO session, a token profile, or a property reference. You can use JWTs that you obtain during an OpenID Connect SSO in connectors, to achieve user impersonation flows, such as the On-Behalf-Of (OBO) flow. The OAuth 2.0 type authentication profile now also supports authentication of client applications by using Private Key JWTs.
Instances of the OAuth 2.0 provider are now deprecated. As a best practice, use the new, unified authentication profile configuration instead.
For more information, see Configuring an OAuth 2.0 authentication profile.
Upgrade impact
After an upgrade to Pega Platform 8.4 and later, Authentication Profiles can take advantage of the new JWT based OAuth 2.0 grant type and client authentication features. To take advantage of this and other new security features, you must update any existing Authentication Profiles formats must to use those in Pega Platform 8.4 and later.
What steps are required to update the application to be compatible with this change?
Since these features are available only for profiles created in Pega Platform 8.4 and later, clients must open and then save existing 'Authentication Profile' instances to ensure that the configuration is compatible with the latest authentication formats.
Specify the scope for rolling back rules and data to a restore point
Valid from Pega Version 8.4
Create restore points to save the state of all rules and data in your system at a significant point in time, for example, before you import an application. Roll back to that restore point to return the system to that state. Now, you can filter which rule and data instances are returned to their previous state:
- System: Roll back every rule and data instance that has a history record.
- User: Roll back rule and data instances modified by a specific user. If any rule was changed by more than one user, you will see an error message and must use the system rollback.
- Application: Roll back rule and data instances in a specific application.
For more information, see Using restore points to enable error recovery.
Sign and encrypt signatures and content with additional algorithms
Valid from Pega Version 8.4
You can now authenticate using JSON Web Token (JWT) token profiles to symmetrically and asymmetrically encrypt both signatures and content. All algorithms in the Nimbus JWT library are supported, including nested tokens. Custom key identifier headers (kid) are also supported. Use token profiles to securely propagate identities and transfer data between systems.
For more information, see Creating a processing JSON Web token profile.
For more information, see Creating a generation JSON Web token profile.
Rules can no longer access Pega internal Java packages
Valid from Pega Version 8.4
You can no longer create rules that access Java packages that reference internal APIs (syntax com.pega.platform.*.internal*). This change does not affect rules that access Pega public API packages.
If you encounter issues when running existing rules that reference internal Pega APIs, contact Pega Support.
Upgrade impact
After an upgrade to 8.4 and later, clients can no longer save new or modified rules that access Pega internal APIs; existing rules that reference internal APIs can still be run but cannot be modified.
What steps are required to update the application to be compatible with this change?
Following a software upgrade to 8.4 or later, clients can refactor existing rules into guardrail compliant rules. To find rules to refactor, run the validation tool from designer studio (Application > Tools > Validation) to identify what rules fail validation; failed rules that include the message "Test compilation failed : Illegal internal class reference : com.pega.internal.XYZ" can updated to reference appropriate APIs.
Custom application URL alias in the application definition
Valid from Pega Version 8.4
Create application URL aliases that support your ability to launch multiple Pega applications simultaneously in a single browser. This feature makes it easier for clients and your customers to log into multiple applications using the same browser and access them simultaneously. You configure your application URL alias in the application definition. For details, see Adding an application URL alias.
For more information, see Simplify access with an Application URL alias (8.4).
Upgrade impact
After an upgrade to Pega Platform™ 8.4 and later, review to determine if and how you must update your application rules to reflect the current URL aliasing format. As part of these application rule updates, Pega also updated the URL format and value components of the clipboard property, pxRequestor.pxReqServletNameReal, which you can use to discover a servlet name. If your application uses this property to discover a servlet name, update the pxRequestor.pxReqServlet property in the application rule to use the new, required URL and value formats.
For details steps, see the section, Upgrading from Pega 8.3 or earlier: Guidelines for any required changes in your application URL aliasing in the appropriate Pega Platform Upgrade Guide available at Deploy Pega Platform.
What steps should the customer take to update their application?
After upgrading, you must update your JMeter test scripts. For detailed steps, see Updating JMeter test scripts after migrating to Pega 8.4.
Client-server deployment of Hazelcast
Valid from Pega Version 8.4
Pega Platform™ now supports the client-server model for the Hazelcast service, which provides cluster communication and distributes Pega Platform features across nodes. This optional deployment model introduces independent scalability for both servers and clients in Pega Platform, improving stability for deployments that use a large number of nodes.
The Hazelcast client-server model is intended for select environments running Pega Platform 8.4 across a large number of nodes and should be deployed only when directed by Global Client Support.
Expanded checks for Java injection vulnerabilities (8.4)
Valid from Pega Version 8.4
The Java injection vulnerability check feature has been enhanced in Pega Platform™ to further prevent Java injection, including Edit validate, Edit input, and JSP rules. Pega Platform reports errors at design time and run time, and does not run any rule that includes any of the following Java code:
- JavaCompiler
- new ProcessBuilder()
- org.dita.dost.invoker
- Runtime.getRuntime()
For more information, see Configuring the Java injection check.
Improved indexing performance by gradual retrieval of data
Valid from Pega Version 8.4
Search functionality in Pega Platform™ versions from 8.4.5 to 8.6 now includes the option to improve indexing performance when reading query results from a large table in a database. For example, to load the recommended 50 records at a time, in the Pega-SearchEngine ruleset, create the indexing/distributed/fetchsize dynamic system setting, and set the value to 50.
Creating the fetchsize dynamic system setting ensures that your system does not crash while indexing classes with numerous instances.
For more information, see Creating a dynamic system setting.