Published Release Notes

Improving basic access control

Pega Platform™ has implemented a new basic access control (BAC) to protect your application from unauthorized server calls from otherwise authenticated users.

For more information, see Access Control Checks.

Upgrade impact

After you upgrade to Pega 8.5, all the functionality in the model configurations that use auto-generated controls and actions continues to work as before. However, you must secure any customized JavaScript in your application layer that makes AJAX (server) calls  by using registration or encryption mechanisms.

What steps are required to update the application to be compatible with this change?

After upgrade, to migrate custom JavaScript functionality, see Access Control Checks.

New JWT access token format: Authorized Access Token

Pega Platform™ is changing from using opaque tokens to using JSON Web (JWT) tokens and the JWT access token format: Authorized Access Token (AAT). An AAT enables a client application to validate the server for user permissions and authorizes a specific application to access specific parts of a user’s data.

The major benefits to using the JWT format are:

• The JWT is a self-contained token that has authentication information, expire time information, and other user-defined claims digitally signed.
• A single token can be used with multiple applications.
• The tokens are short-lived and can minimize damage if transport security is compromised, as the token signature is verified.
• As the token is verified with the signature, there is no need to verify against a database, thus reducing latency (usually important for Web APIs).

For more information, see Understanding authorized access tokens.

Ability to restrict access to the Import wizard

You can now restrict access to the Import wizard so that users implement an automated pipeline to deploy changes between environments such as staging and production. Deployment Manager is one method by which to create pipelines. By using pipelines to propagate changes, users can apply a standardized and automated deployment process for migrating their applications.

For more information, see:

• Ensuring that users migrate applications with a pipeline by restricting the Import wizard
• Understanding model-driven DevOps with Deployment Manager

Improvements to OAuth 2.0 Services with Token Introspection Service and Token Denylist Service

Increase the security of user sessions by using the newly supported Token Introspection and Denylist services for OAuth 2.0.

Token Introspection service

Use the Token Introspection service to validate JSON Web Tokens (JWT). The Token Introspection service requires authentication. 

Pega now uses OAuth 2.0 access tokens called Authorized Access Tokens (AAT). 

Token Introspection service endpoint

The Token Introspection service endpoint provides the information about the status of access token and refresh token. Token introspection can be used to validate if a given token is still active or inactive. The token introspection endpoint determines whether the token is valid. The status indicates whether an access token or refresh token is valid or invalid: 

• Valid tokens have the “active”:true status
• Invalid tokens have the “active” :false status.

The inactive status can also be due to revocation. 

Token Denylist service

You can add tokens to the deny list in cases where suspicious activity might have occurred. The Token Denylist service provides a method for denying user access to the application by revoking the user's access token. This service can prevent a token from being used more than the specified number of times, which can be helpful in preventing replay attacks. Stolen tokens should be revoked using this service. A GET API is also available to get the list of denied tokens.

Keys endpoint

Pega Platform™ is changing from using opaque tokens to JSON Web (JWT) tokens. If this JWT is used by any other system, the public key is needed for signature verification. A new endpoint is exposed to provide these public keys in JWK format: https://host:port/prweb/api/oauth2/v1/token/keys.

For more information, see OAuth 2.0 Management Services.

Search and Reporting does not index large items

When using the Search and Reporting (SRS) microservice in Pega Platform™ 8.5, you might encounter problems with indexing large out-of-the-box rules. The issue is not visible in Queue Processors, but you can access logs to verify which items the system does not index.

Enhancements to token lifetime limits

Pega Platform™ uses OAuth 2.0 authorization codes, access tokens, and refresh tokens to provide flexible token-based security for applications. Expiration settings for these codes and tokens now adhere to certain strict value range based on industry leading practices. For example, the lifetime specified for the authorization code must be in the range 1-600 seconds.

These can be configured in the OAuth2 Client registration rule form.

For more information, see OAuth 2.0 Management Services.

Database storage used for passivation in High Availability mode

When an application is running in High Availability mode, the value attribute for initialization/​persistrequestor/storage in the prconfig.xml file or the Dynamic System Settings​ now defaults to "database."

Previously, applications running in High Availability mode required shared passivation, where either initialization/​persistrequestor/storage was set to “OnTimeout” or a custom passivation mechanism was used. The change to using database by default provides persistent storage for passivation, and provides control for the landing page for High Availability.

For more information, see Understanding passivation and requestor timeouts and the High Availability Administration Guide.

Enhanced refresh token strategy

You now have more precise control over your refresh token expiration strategy. When a refresh token is enabled, you can choose to set its initial expiration based on the value provided by the IDP. The refresh token expiry can be derived from IDP’s session timeout when SSO is used with external IDP for user authentication in the authorization code grant flow. You can also specify a separate refresh token expiration strategy based on your use-case. 

These can be configured in the OAuth2 Client registration rule form.

For more information, see Enhanced refresh token strategy.

End of support for Microsoft Internet Explorer 8 and quirks mode applications in Pega 7.1.9

In accordance with Microsoft’s announcement to discontinue support for Internet Explorer 8 in January 2016, Pega 7.1.9 does not support Internet Explorer 8, nor does it support non-HTML5 standard user interfaces.

You must upgrade to Microsoft Internet Explorer 9 or later or use Google Chrome, Apple Safari, or Mozilla Firefox. If you are using Internet Explorer 9 or later, you must turn off compatibility mode by accessing the Compatibility View settings.

Note the following:

• Pega 7.1.9 does not support user interface rules that are not based on HTML5 standards (rules in quirks mode).
• If you use applications that are rendered in quirks mode, which enables Pega 7 to correctly display and render non-HTML5 standard user interfaces, you must update them to standards-based HTML5 user interfaces when you upgrade to Pega 7.1.9 or later. Pega 7 provides automated tools to help you migrate your applications.
• Pegasystems Global Customer Support will not investigate or fix any Pega 7.1.9 bugs or support requests that are exclusive to Internet Explorer 8 or quirks mode user interfaces.

You can quickly identify which components of your application user interface are not HTML5 standards-based by clicking Designer Studio > User Interface > HTML5 Application Readiness.

Upgrading to Pega 7.1.9 and a newer browser offers the following benefits:

• These browsers are HTML5 and CSS3 compliant.
• New features are supported and existing features work as intended.
• The Pega 7 Platform user interface is displayed and rendered as intended.
• Browser security is enhanced.

If you have additional questions about browser support, see the Platform Support Guide or contact Pegasystems Global Customer Support.