Published Release Notes

Integrated Application Security Checklist helps you deploy a secure application

Pega^® Platform now provides an Application Security Checklist that you can refer to when you prepare your application for deployment. By completing the recommended tasks in this checklist, you can track your progress, access instructional information for tasks, and verify that your configurations are secure.

For more information, see Preparing your application for secure deployment, Compliance Score tab, Designer Studio — Home page.

Encrypt sensitive case data by using a secure default Pega Platform cipher and AWS KMS keys

You can encrypt sensitive data within your application without having to write custom cipher classes. You can configure encryption on the Data Encryption landing page by using your own keys managed in your private Amazon Web Services Key Management Service (AWS KMS) instance. Pega^® Platform encryption uses keys that are stored in AWS KMS to support both time-based and on-demand key rotation. Technical issues can arise in some cases, for example, if a key is deleted from AWS KMS.

For more information, see Potential problems with keystores when using AWS KMS, Configuring a Platform cipher, Types of ciphers.

REST services support password credentials and JWT Bearer grant types

Pega^® Platform REST services now support password credentials and the JWT (JSON Web Token) Bearer grant type when you enable OAuth 2.0-based authentication. By using password credentials, you can quickly migrate clients from direct authentication schemes, provide additional flexibility when other grants are not available, and integrate your application with REST services in other applications. You can add compatibility with modern JWT-based cloud security IDPs by using the JWT Bearer grant type.

For more information, see About OAuth 2.0 Provider data instances, OAuth 2.0 Client Registration data instances - Completing the Client Information tab, Creating an Identity Mapping data instance.

Java injection vulnerability check

Pega Platform™ now notifies you of Java injection vulnerabilities in activities, functions, and stream rules at design time and at run time.  You can customize Pega Platform to check for additional vulnerabilities to ensure that your application runs without problems.

For more information, see Configuring the Java injection check.

Usability improvements to Admin Studio

Admin Studio offers a variety of usability enhancements, including:

• New access groups to differentiate between full and read-only access to Admin Studio
• A Java class lookup utility
• A requestor list for the logged-on operator
• The ability to display system node type in the logs

Also, if your environment uses Predictive Diagnostic Cloud (PDC), the Admin Studio overview page now includes a link to PDC.

For more information, see Managing requestors.

Token credentials authentication service

You can create a new type of authentication service for token credentials authentication, which is useful for offline mobile applications. With token credentials authentication, users need to enter their credentials only once in a session. Subsequent access to the server is authenticated with a token. The token can be generated by the Pega Platform™ authorization layer (OAuth 2.0) or issued by an external identity provider.

For more information, see Configuring a token credentials authentication service.

Platform truststore for validating certificates

Pega Platform™ now includes a platform truststore, to which you can import X.509 certificates that are common across platform applications. When a certificate needs to be validated, Pega Platform looks for the certificate at the connector level, then in the platform truststore, and finally in the application server (JVM) truststore. You can add, update, and delete certificates in the platform truststore without having to restart the server, which is useful when TLS certificates are changed for reasons such as key rotation.

For more information, see Importing an X.509 certificate.

Support for additional key management services

By supporting additional key management services, Pega Platform™ offers you increased flexibility when defining keys that are used for encryption of application and internal system data. You can now create keystores that reference keys from key management services such as Microsoft Azure Key Vault, HashiCorp Vault, and Google Cloud KMS, in addition to Amazon KMS. You can also create a keystore that references other key management services through the use of a data page.

For more information, see Configuring a Microsoft Azure Key Vault keystore, Configuring a HashiCorp Vault keystore, and Configuring a Google Cloud KMS keystore.

Add the security checklist to applications created before 7.3.1

The security checklist is now automatically added to applications. You can manually add the security checklist to applications that were created in earlier versions.

You can improve the security of your application by completing the tasks on the checklist.

The following task reflects the procedure on how to manually add the security checklists to Designer Studio prior to 7.3.1:

1. In the header of Designer Studio, click the name of the application, and then click Definition.
2. Click the Documentation tab.
3. In the Application guides section, click Add guide.
4. In the Application guide& field, enter pxApplicationSecurityChecklist.
5. Click the Configure icon in the Available in column and select the portals (App Studio and Dev Studio) that you want to add the security checklist to.
6. Click Save.