Published Release Notes

External keystore support in Pega Platform

Pega^® Platform now provides the ability to source certificates and encryption keys from external keystores. You use the Keystore rule to specify alternatives to the platform's database to source certificates and keys. You can choose to use a data page, a URL, or an external file in one of the following standard formats: JKS, JWK, PKCS12, KEYTAB, or KEY. Keystore information is stored in cache memory only. It is not stored on the clipboard nor is it directly accessible to the application logic.

For more information, see Creating a Keystore data instance.

Terminate sessions for operators from outside the Pega 7 Platform

The newly added Users REST API allows an authorized administrator to terminate sessions for one or more operator IDs from outside the Pega^® 7 Platform. A typical use case for this API is to terminate a user’s session when the user's security credentials, which are stored externally, are known to have changed.

Access the Pega API by clicking Resources > Pega API.

Support for OAuth 2.0 authorization in Pega Platform REST services

Pega^® Platform REST services now support OAuth 2.0 authorization that uses federated authentication with SAML 2.0-compliant identity providers (IDPs). The OAuth 2.0-based authorization can be configured to use the SAML2-bearer grant type with a SAML token profile. This configuration is used when a resource requestor is authenticated by using a SAML2.0-compliant IDP.

For more information, see Security rules and data.

End of active support for Cosmos React version 8.6

As of the release of Pega Platform™ version 8.8 in October 2022, the early adopter Cosmos React (now Constellation) UI is no longer supported. Consequently, Pega support teams no longer accept assignments and incident reports for the 8.6 version of Cosmos React and DX SDK. Upgrade to a later version of Cosmos React or Constellation to maintain support.

Platform truststore for validating certificates

Pega Platform™ now includes a platform truststore, to which you can import X.509 certificates that are common across platform applications. When a certificate needs to be validated, Pega Platform looks for the certificate at the connector level, then in the platform truststore, and finally in the application server (JVM) truststore. You can add, update, and delete certificates in the platform truststore without having to restart the server, which is useful when TLS certificates are changed for reasons such as key rotation.

For more information, see Importing an X.509 certificate.

Encrypt sensitive case data by using a secure default Pega Platform cipher and AWS KMS keys

You can encrypt sensitive data within your application without having to write custom cipher classes. You can configure encryption on the Data Encryption landing page by using your own keys managed in your private Amazon Web Services Key Management Service (AWS KMS) instance. Pega^® Platform encryption uses keys that are stored in AWS KMS to support both time-based and on-demand key rotation. Technical issues can arise in some cases, for example, if a key is deleted from AWS KMS.

For more information, see Potential problems with keystores when using AWS KMS, Configuring a Platform cipher, Types of ciphers.

Integrated Application Security Checklist helps you deploy a secure application

Pega^® Platform now provides an Application Security Checklist that you can refer to when you prepare your application for deployment. By completing the recommended tasks in this checklist, you can track your progress, access instructional information for tasks, and verify that your configurations are secure.

For more information, see Preparing your application for secure deployment, Compliance Score tab, Designer Studio — Home page.

Pega Agile Studio integration

You can configure the new Agile Workbench tool to integrate with Pega^® Agile Studio so that bugs and user stories are synchronized between the two systems. In addition, you can improve traceability in your development environment by using the Current work feature to associate a user story or bug with development changes.

For more information, see Integrating Agile Workbench with Pega Agile Studio and Tracing development changes to work items.

Use Kerberos credentials in a Pega application to authenticate and access external systems

Authentication services now support Kerberos as an authentication type. When you connect from the Pega 7 Platform to external systems and services that require Kerberos authentication, the Pega 7 Platform stores the user Kerberos credentials and makes them available in Pega 7 Platform connectors.

For more information, see Using Kerberos credentials in a Pega application to authenticate and access external systems.

Improved operator security

To improve security, Pega® Platform now requires the following:

• During deployment, you must configure a password for [email protected].
• The administrator must enable new out-of-the-box operators.
• The administrator and new Pega-supplied operators must change their passwords after the first login.

These requirements replace the optional secured mode in earlier versions of Pega Platform.