Published Release Notes

Support for predictive models in PMML version 4.4

Pega Platform™ now supports the import of predictive models in Predictive Model Markup Language (PMML) version 4.4. With this feature, you can import PMML models that use the anomaly detection algorithm.

For a list of all supported PMML models, see Supported models for import. 

Limits on active data flow runs

You can now configure a maximum number of concurrent active data flow runs for a node type. Set limits to ensure that you do not run out of system resources and that you have a reasonable processing throughput. If a limit is reached, the system queues subsequent runs and waits for active runs to stop or finish before queued runs can be initiated, starting with the oldest.

For more information see, Limit the number of active runs in data flow services (8.5).

Upgrade impact

If you have many data flow runs active at the same time, you might notice that some of the runs are queued and waiting to be executed.

What steps are required to update the application to be compatible with this change?

You do not have to take any action. After the active runs stop or finish, the queued runs start automatically. The default limits are intended to protect your system resources, and you should not see a negative impact on the processing of data flows. However, if you want to allow a greater number of active data flow runs to be active at the same time, you can change the limits. For more information, see Limiting active data flow runs.

Support for Apache HBase 2.1 and Hadoop 3.0

Support for these versions extends Pega Platform™ compatibility with HBase releases to ensure that your database implementations integrate seamlessly with Pega Platform.

Pega Platform now supports:

• Apache HBase 2.1 for the HBase data set
• Apache Hadoop Distributed File System (HDFS) 3.0 for the HDFS data set

For more information, see Enhance your data sets with Apache HBase 2.1 and Hadoop 3.0 (8.5).

Enhancing your revision management process with Deployment Manager pipelines

Pega Platform 8.5 offers improved synergy between revision management and the automated deployment process provided by Pega's Deployment Manager 4.8 pipelines. Use Deployment Manager 4.8 to increase the efficiency of business-as-usual application changes and automatize the deployment of revision packages.

For more information, see Managing the business-as-usual changes.

Support for Cloud AutoML topic detection models

In Prediction Studio, you can now connect to topic detection models that you create in Cloud AutoML, Google's cloud-based machine learning service. You can then use the models to categorize and route messages from your customers.

For more information, see Broaden your selection of topic detection models by connecting to third-party services (8.5).

Control group configuration for predictions

You can now configure a control group for your predictions in Prediction Studio. Based on the control group, Prediction Studio calculates a lift score for each prediction that you can later use to monitor the success rate of your predictions.

For more information, see Customizing predictions.

Response timeout configuration for predictions

You can now set a response timeout for your predictions in Prediction Studio. By setting a response timeout, you control how Prediction Studio registers customer responses that later serve as feedback data for your predictions.

For more information, see Customizing predictions.

New JWT access token format: Authorized Access Token

Pega Platform™ is changing from using opaque tokens to using JSON Web (JWT) tokens and the JWT access token format: Authorized Access Token (AAT). An AAT enables a client application to validate the server for user permissions and authorizes a specific application to access specific parts of a user’s data.

The major benefits to using the JWT format are:

• The JWT is a self-contained token that has authentication information, expire time information, and other user-defined claims digitally signed.
• A single token can be used with multiple applications.
• The tokens are short-lived and can minimize damage if transport security is compromised, as the token signature is verified.
• As the token is verified with the signature, there is no need to verify against a database, thus reducing latency (usually important for Web APIs).

For more information, see Understanding authorized access tokens.

Improvements to OAuth 2.0 Services with Token Introspection Service and Token Denylist Service

Increase the security of user sessions by using the newly supported Token Introspection and Denylist services for OAuth 2.0.

Token Introspection service

Use the Token Introspection service to validate JSON Web Tokens (JWT). The Token Introspection service requires authentication. 

Pega now uses OAuth 2.0 access tokens called Authorized Access Tokens (AAT). 

Token Introspection service endpoint

The Token Introspection service endpoint provides the information about the status of access token and refresh token. Token introspection can be used to validate if a given token is still active or inactive. The token introspection endpoint determines whether the token is valid. The status indicates whether an access token or refresh token is valid or invalid: 

• Valid tokens have the “active”:true status
• Invalid tokens have the “active” :false status.

The inactive status can also be due to revocation. 

Token Denylist service

You can add tokens to the deny list in cases where suspicious activity might have occurred. The Token Denylist service provides a method for denying user access to the application by revoking the user's access token. This service can prevent a token from being used more than the specified number of times, which can be helpful in preventing replay attacks. Stolen tokens should be revoked using this service. A GET API is also available to get the list of denied tokens.

Keys endpoint

Pega Platform™ is changing from using opaque tokens to JSON Web (JWT) tokens. If this JWT is used by any other system, the public key is needed for signature verification. A new endpoint is exposed to provide these public keys in JWK format: https://host:port/prweb/api/oauth2/v1/token/keys.

For more information, see OAuth 2.0 Management Services.

Enhanced refresh token strategy

You now have more precise control over your refresh token expiration strategy. When a refresh token is enabled, you can choose to set its initial expiration based on the value provided by the IDP. The refresh token expiry can be derived from IDP’s session timeout when SSO is used with external IDP for user authentication in the authorization code grant flow. You can also specify a separate refresh token expiration strategy based on your use-case. 

These can be configured in the OAuth2 Client registration rule form.

For more information, see Enhanced refresh token strategy.