Automatically update dependent applications to use the latest versions of built-on applications
Valid from Pega Version 8.5
You can now automatically update dependent applications to use the latest versions of built-on applications. When you import an archive that you created from a product rule, you can update all dependent applications to be built on the latest application versions in the archive.
For more information, see Updating dependent applications with the latest versions of built-on applications.
Alerts for long-running queue processor and job scheduler activities
Valid from Pega Version 8.5
Pega Platform™ now saves an alert in the performance alert log when a queue processor activity or a scheduled job runs longer than the configured threshold value. Use the alerts to identify potential performance issues with long-running processes.
The alerts are enabled by default. You can change the alerts for dedicated queue processors and job schedulers at the rules level. For standard queue processors, you can also set the threshold value for the Queue-For-Processing command in an activity. You disable the alerts in dynamic system settings.
For more information, see:
- PEGA0117 alert: Long-running queue processor activity
- PEGA0118 alert: Long-running job scheduler activity
New JWT access token format: Authorized Access Token
Valid from Pega Version 8.5
Pega Platform™ is changing from using opaque tokens to using JSON Web (JWT) tokens and the JWT access token format: Authorized Access Token (AAT). An AAT enables a client application to validate the server for user permissions and authorizes a specific application to access specific parts of a user’s data.
The major benefits to using the JWT format are:
- The JWT is a self-contained token that has authentication information, expire time information, and other user-defined claims digitally signed.
- A single token can be used with multiple applications.
- The tokens are short-lived and can minimize damage if transport security is compromised, as the token signature is verified.
- As the token is verified with the signature, there is no need to verify against a database, thus reducing latency (usually important for Web APIs).
For more information, see Understanding authorized access tokens.
Improvements to OAuth 2.0 Services with Token Introspection Service and Token Denylist Service
Valid from Pega Version 8.5
Increase the security of user sessions by using the newly supported Token Introspection and Denylist services for OAuth 2.0.
Token Introspection service
Use the Token Introspection service to validate JSON Web Tokens (JWT). The Token Introspection service requires authentication.
Pega now uses OAuth 2.0 access tokens called Authorized Access Tokens (AAT).
Token Introspection service endpoint
The Token Introspection service endpoint provides the information about the status of access token and refresh token. Token introspection can be used to validate if a given token is still active or inactive. The token introspection endpoint determines whether the token is valid. The status indicates whether an access token or refresh token is valid or invalid:
- Valid tokens have the
“active”:truestatus - Invalid tokens have the
“active” :falsestatus.
The inactive status can also be due to revocation.
Token Denylist service
You can add tokens to the deny list in cases where suspicious activity might have occurred. The Token Denylist service provides a method for denying user access to the application by revoking the user's access token. This service can prevent a token from being used more than the specified number of times, which can be helpful in preventing replay attacks. Stolen tokens should be revoked using this service. A GET API is also available to get the list of denied tokens.
Keys endpoint
Pega Platform™ is changing from using opaque tokens to JSON Web (JWT) tokens. If this JWT is used by any other system, the public key is needed for signature verification. A new endpoint is exposed to provide these public keys in JWK format: https://host:port/prweb/api/oauth2/v1/token/keys.
For more information, see OAuth 2.0 Management Services.
Enhanced refresh token strategy
Valid from Pega Version 8.5
You now have more precise control over your refresh token expiration strategy. When a refresh token is enabled, you can choose to set its initial expiration based on the value provided by the IDP. The refresh token expiry can be derived from IDP’s session timeout when SSO is used with external IDP for user authentication in the authorization code grant flow. You can also specify a separate refresh token expiration strategy based on your use-case.
These can be configured in the OAuth2 Client registration rule form.
For more information, see Enhanced refresh token strategy.
Enhancements to token lifetime limits
Valid from Pega Version 8.5
Pega Platform™ uses OAuth 2.0 authorization codes, access tokens, and refresh tokens to provide flexible token-based security for applications. Expiration settings for these codes and tokens now adhere to certain strict value range based on industry leading practices. For example, the lifetime specified for the authorization code must be in the range 1-600 seconds.
These can be configured in the OAuth2 Client registration rule form.
For more information, see OAuth 2.0 Management Services.
Introduction of Search and Reporting Service
Valid from Pega Version 8.5
Pega Platform™ now uses Search and Reporting Service, which is an independent microservice. The new enhancement provides a convenient way to manage your application data, and is easier to maintain. For example, because of the cloud-based architecture of Search and Reporting Service, any bug fixes and performance improvements occur seamlessly, and have no impact on your overall experience in Pega Platform.
For more information, see Search and Reporting overview.
Ability to restrict access to the Import wizard
Valid from Pega Version 8.5
You can now restrict access to the Import wizard so that users implement an automated pipeline to deploy changes between environments such as staging and production. Deployment Manager is one method by which to create pipelines. By using pipelines to propagate changes, users can apply a standardized and automated deployment process for migrating their applications.
For more information, see:
- Ensuring that users migrate applications with a pipeline by restricting the Import wizard
- Understanding model-driven DevOps with Deployment Manager
Optimized data schema upgrade
Valid from Pega Version 8.5
Several improvements have been made to optimize the speed of the data schema upgrade to help you experience minimal downtime during upgrade to Pega Platform 8.5™. The data schema upgrade process optimizations include the following improvements:
- Optimized database index creation during upgrade
- Optimized synchronization process to detect duplicate rules during the application import process
- A new upgrade setting for Pega Cloud® Services operators that reduces the time to upgrade clients that run large Pega applications, such as the CRM Suite
For more information, see Limit upgrade downtime with data schema upgrade improvements (8.5).
Support for hotfix file verification
Valid from Pega Version 8.5
Pega Platform hotfix files are now digitally signed so that they can be verified and authenticated. If your Pega Platform™ instance allows outbound URL connections, hotfix files are verified automatically during installation. If your Pega Platform instance does not allow outbound URL connections, you can verify the files manually by using third-party tools. Alternatively, if your Pega Platform instance does not allow outbound URL connections and you do not use third-party tools to verify hotfix files, you can import a certificate revocation list (CRL) for Pega Platform to use when checking the files to see if they have been revoked.
For more information, see Verifying the authenticity of hotfix files.