Java injection vulnerability check
Valid from Pega Version 8.3
Pega Platform™ now notifies you of Java injection vulnerabilities in activities, functions, and stream rules at design time and at run time. You can customize Pega Platform to check for additional vulnerabilities to ensure that your application runs without problems.
For more information, see Configuring the Java injection check.
Usability improvements to Admin Studio
Valid from Pega Version 8.3
Admin Studio offers a variety of usability enhancements, including:
- New access groups to differentiate between full and read-only access to Admin Studio
- A Java class lookup utility
- A requestor list for the logged-on operator
- The ability to display system node type in the logs
Also, if your environment uses Predictive Diagnostic Cloud (PDC), the Admin Studio overview page now includes a link to PDC.
For more information, see Managing requestors.
Token credentials authentication service
Valid from Pega Version 8.3
You can create a new type of authentication service for token credentials authentication, which is useful for offline mobile applications. With token credentials authentication, users need to enter their credentials only once in a session. Subsequent access to the server is authenticated with a token. The token can be generated by the Pega Platform™ authorization layer (OAuth 2.0) or issued by an external identity provider.
For more information, see Configuring a token credentials authentication service.
Platform truststore for validating certificates
Valid from Pega Version 8.3
Pega Platform™ now includes a platform truststore, to which you can import X.509 certificates that are common across platform applications. When a certificate needs to be validated, Pega Platform looks for the certificate at the connector level, then in the platform truststore, and finally in the application server (JVM) truststore. You can add, update, and delete certificates in the platform truststore without having to restart the server, which is useful when TLS certificates are changed for reasons such as key rotation.
For more information, see Importing an X.509 certificate.
Support for additional key management services
Valid from Pega Version 8.3
By supporting additional key management services, Pega Platform™ offers you increased flexibility when defining keys that are used for encryption of application and internal system data. You can now create keystores that reference keys from key management services such as Microsoft Azure Key Vault, HashiCorp Vault, and Google Cloud KMS, in addition to Amazon KMS. You can also create a keystore that references other key management services through the use of a data page.
For more information, see Configuring a Microsoft Azure Key Vault keystore, Configuring a HashiCorp Vault keystore, and Configuring a Google Cloud KMS keystore.
New JWT access token format: Authorized Access Token
Valid from Pega Version 8.5
Pega Platform™ is changing from using opaque tokens to using JSON Web (JWT) tokens and the JWT access token format: Authorized Access Token (AAT). An AAT enables a client application to validate the server for user permissions and authorizes a specific application to access specific parts of a user’s data.
The major benefits to using the JWT format are:
- The JWT is a self-contained token that has authentication information, expire time information, and other user-defined claims digitally signed.
- A single token can be used with multiple applications.
- The tokens are short-lived and can minimize damage if transport security is compromised, as the token signature is verified.
- As the token is verified with the signature, there is no need to verify against a database, thus reducing latency (usually important for Web APIs).
For more information, see Understanding authorized access tokens.
Improvements to OAuth 2.0 Services with Token Introspection Service and Token Denylist Service
Valid from Pega Version 8.5
Increase the security of user sessions by using the newly supported Token Introspection and Denylist services for OAuth 2.0.
Token Introspection service
Use the Token Introspection service to validate JSON Web Tokens (JWT). The Token Introspection service requires authentication.
Pega now uses OAuth 2.0 access tokens called Authorized Access Tokens (AAT).
Token Introspection service endpoint
The Token Introspection service endpoint provides the information about the status of access token and refresh token. Token introspection can be used to validate if a given token is still active or inactive. The token introspection endpoint determines whether the token is valid. The status indicates whether an access token or refresh token is valid or invalid:
- Valid tokens have the
“active”:truestatus - Invalid tokens have the
“active” :falsestatus.
The inactive status can also be due to revocation.
Token Denylist service
You can add tokens to the deny list in cases where suspicious activity might have occurred. The Token Denylist service provides a method for denying user access to the application by revoking the user's access token. This service can prevent a token from being used more than the specified number of times, which can be helpful in preventing replay attacks. Stolen tokens should be revoked using this service. A GET API is also available to get the list of denied tokens.
Keys endpoint
Pega Platform™ is changing from using opaque tokens to JSON Web (JWT) tokens. If this JWT is used by any other system, the public key is needed for signature verification. A new endpoint is exposed to provide these public keys in JWK format: https://host:port/prweb/api/oauth2/v1/token/keys.
For more information, see OAuth 2.0 Management Services.
Enhanced refresh token strategy
Valid from Pega Version 8.5
You now have more precise control over your refresh token expiration strategy. When a refresh token is enabled, you can choose to set its initial expiration based on the value provided by the IDP. The refresh token expiry can be derived from IDP’s session timeout when SSO is used with external IDP for user authentication in the authorization code grant flow. You can also specify a separate refresh token expiration strategy based on your use-case.
These can be configured in the OAuth2 Client registration rule form.
For more information, see Enhanced refresh token strategy.
Enhancements to token lifetime limits
Valid from Pega Version 8.5
Pega Platform™ uses OAuth 2.0 authorization codes, access tokens, and refresh tokens to provide flexible token-based security for applications. Expiration settings for these codes and tokens now adhere to certain strict value range based on industry leading practices. For example, the lifetime specified for the authorization code must be in the range 1-600 seconds.
These can be configured in the OAuth2 Client registration rule form.
For more information, see OAuth 2.0 Management Services.
Improving basic access control
Valid from Pega Version 8.5
Pega Platform™ has implemented a new basic access control (BAC) to protect your application from unauthorized server calls from otherwise authenticated users.
For more information, see Access Control Checks.
Upgrade impact
After you upgrade to Pega 8.5, all the functionality in the model configurations that use auto-generated controls and actions continues to work as before. However, you must secure any customized JavaScript in your application layer that makes AJAX (server) calls by using registration or encryption mechanisms.
What steps are required to update the application to be compatible with this change?
After upgrade, to migrate custom JavaScript functionality, see Access Control Checks.