Published Release Notes

External keystore support in Pega Platform

Pega^® Platform now provides the ability to source certificates and encryption keys from external keystores. You use the Keystore rule to specify alternatives to the platform's database to source certificates and keys. You can choose to use a data page, a URL, or an external file in one of the following standard formats: JKS, JWK, PKCS12, KEYTAB, or KEY. Keystore information is stored in cache memory only. It is not stored on the clipboard nor is it directly accessible to the application logic.

For more information, see Creating a Keystore data instance.

Support for OAuth 2.0 authorization in Pega Platform REST services

Pega^® Platform REST services now support OAuth 2.0 authorization that uses federated authentication with SAML 2.0-compliant identity providers (IDPs). The OAuth 2.0-based authorization can be configured to use the SAML2-bearer grant type with a SAML token profile. This configuration is used when a resource requestor is authenticated by using a SAML2.0-compliant IDP.

For more information, see Security rules and data.

All search data is encrypted

All search data in Pega Cloud deployments is now encrypted, both at rest and in transit. The encryption of search data makes search compliant with regulatory requirements.

For more information about search, see Full-text search.

Support for encrypted traffic in a cluster

The Pega 7 Platform includes the Ignite platform, which supports encryption for intra-cluster communications. You can now configure encryption for intra-cluster traffic for compliance with regulatory or organizational security requirements.

For more information, see Enabling encrypted traffic between nodes.

Enhanced security of Robotic Desktop Automation requests

Security enhancements have been introduced in the communication (data synchronization or pulling data) between your application that uses robotic desktop automation functionality and Pega^® Platform. These applications (web, desktop, and legacy) communicate with Pega Platform through connectors. No additional configuration is necessary.

For more information, see Robotic automation.

Authenticate users in processes with a JSON Web Token

You can generate and process a JSON Web Token (JWT) in Pega^® Platform to secure communications in Pega Platform applications. JWTs are intended to securely transmit small amounts of information between two parties. Because the JWT is signed, the integrity of the information is assured. The contents of the JWT can be used to authenticate a user or to exchange information.

For more information, see Token Profile data instance.

Monitor standard and custom security events

From the new Security Event Configuration landing page, you can select the standard and custom security events that you want the Pega 7 Platform to log automatically for every user session. The security events are grouped into the following types:

• Authentication
• Data access
• Security administration
• Custom

The API logCustomEvent() is provided so that you can create custom security events that are specific to your applications and that can be monitored by the Pega 7 Platform. For more information, see Security Event Configuration.

Protect against insecure deserialization

Deserialization is the process of rebuilding a data stream into a Java object. The Open Web Application Security Project (OWASP) has identified insecure deserialization as one of the top 10 security vulnerabilities for web applications. Pega Platform™ protects against this vulnerability by using filters that prevent deserialization of suspect data streams. You can configure these filters from the Deserialization Blacklist landing page.

For more information, see Configuring the deserialization filter.

Authentication service for basic credentials

A new type of authentication service is available for authenticating operators by using basic credentials (user ID and password). The default Pega Platform™ login is now an instance of this type of authentication service. All basic credentials authentication services include mobile authentication with the OAuth 2.0 protocol and Proof Key for Code Exchange (PKCE). You no longer have to create a custom authentication service to support mobile applications.

For more information, see Configuring a basic authentication service.

Cross-origin resource sharing (CORS) policies for APIs and REST services

You can now use cross-origin resource sharing (CORS) policies to control how external systems and websites (origins) are permitted to access resources such as APIs and services within your applications. For example, Pega^® Platform uses CORS policies to restrict which Pega Robotic client applications can connect to your Pega applications, and to limit which mobile apps can call Pega mobile services. Using CORS policies results in reduced cost and implementation times, while providing increased security when other systems or websites interact with your application.

For more information, see Creating a cross-origin resource sharing (CORS) policy and Mapping an endpoint to a cross-origin resource sharing (CORS) policy.