Published Release Notes

Tamper-proof Pega Web Mashup loading

To protect your application from hackers, Pega Web Mashup is now loaded in a more secure way. The system generates a channel ID in the mashup code for validation on the server, before passing the mashup request. 

For more information, see Creating a mashup.

Upgrade impact

After an upgrade to Pega Platform 8.5, existing mashups, which do not have the channel ID parameter in their code, cannot load and users see the access control warning.

What steps are required to update the application to be compatible with this change?

If you need to maintain full availability of the mashup during the upgrade of the production environment, perform the steps in Migrating existing mashups.

Automatic separation of date input

Date fields in Date Time controls now automatically divide strings of input into days, months, and years. In single fields, the system adds slashes (/) as the user types the value. For example, an input string of 10102020 becomes 10/10/2020. In separate day/month/year fields, the system automatically switches from one field to the next as the user types the value. This enhancement improves the user experience by helping to users provide input in a more convenient and time-efficient manner.

For more information, see Configuring a Date Time control.

Improvements to OAuth 2.0 Services with Token Introspection Service and Token Denylist Service

Increase the security of user sessions by using the newly supported Token Introspection and Denylist services for OAuth 2.0.

Token Introspection service

Use the Token Introspection service to validate JSON Web Tokens (JWT). The Token Introspection service requires authentication. 

Pega now uses OAuth 2.0 access tokens called Authorized Access Tokens (AAT). 

Token Introspection service endpoint

The Token Introspection service endpoint provides the information about the status of access token and refresh token. Token introspection can be used to validate if a given token is still active or inactive. The token introspection endpoint determines whether the token is valid. The status indicates whether an access token or refresh token is valid or invalid: 

• Valid tokens have the “active”:true status
• Invalid tokens have the “active” :false status.

The inactive status can also be due to revocation. 

Token Denylist service

You can add tokens to the deny list in cases where suspicious activity might have occurred. The Token Denylist service provides a method for denying user access to the application by revoking the user's access token. This service can prevent a token from being used more than the specified number of times, which can be helpful in preventing replay attacks. Stolen tokens should be revoked using this service. A GET API is also available to get the list of denied tokens.

Keys endpoint

Pega Platform™ is changing from using opaque tokens to JSON Web (JWT) tokens. If this JWT is used by any other system, the public key is needed for signature verification. A new endpoint is exposed to provide these public keys in JWK format: https://host:port/prweb/api/oauth2/v1/token/keys.

For more information, see OAuth 2.0 Management Services.

Support for picklists with parameterized data pages in App Studio in Cosmos React UI

You can now use data pages with parameters to populate a property of the picklist type with filtered results in App Studio. For example, in a survey case type, you can use a parameterized data page to configure cascading drop-down controls in which the values in a secondary drop-down list are based on the value that the user selects in the primary drop-down list. With dynamically-sourced picklists, you get greater flexibility in configuring picklists, and users see more accurate values.

For more information, see link Dropdown control Properties — General tab.

Configuring geolocation tracking at the case level

You can now enable geolocation tracking at a case level to track users of an offline-enabled custom mobile app. By tracking users who are working on a case, you can monitor or supervise them while they are using the custom mobile app and when the app is running in the background. You can also track users when the device is not connected to the server. Recorded locations are synchronized with the server and stored in a database that is available through a data page. When Pega Platform™ receives location data, the new Map control can display multiple user tracks and markers that represent other data, for example, job locations that are assigned to users.

For more information, see Tracking mobile end users with the Map control and Adding the map control.

Search and Reporting does not index large items

When using the Search and Reporting (SRS) microservice in Pega Platform™ 8.5, you might encounter problems with indexing large out-of-the-box rules. The issue is not visible in Queue Processors, but you can access logs to verify which items the system does not index.

For Microsoft SQL Server deployments, change settings to create data types in Integration Designer

For on-premises deployments that use Microsoft SQL Server, set the Pega-Reporting/reporting/useMergeHintForRRquery dynamic system setting to true. If you do not configure this setting, you might not be able to create a new data type in Integration Designer that uses Pega as the system of record. Configure the setting as follows:

• Owning ruleset: Pega-Reporting
• Setting purpose: reporting/useMergeHintForRRquery
• Value: true

For more information about configuring dynamic system settings, see Creating a dynamic system setting.

Role-based workspaces improve productivity

You can now use workspaces to access role-based tools and features. By focusing on the tasks that align with your expertise, you can develop and manage your application more quickly.

For more information about the different types of workspaces, see Workspaces.

Support for configuring and saving external data in App Studio

You can now configure a savable data plan to easily replace or update related data directly from App Studio, and persist those changes during the case lifecycle. This enhancement allows you to work directly in App Studio, without being limited to read-only access of data from case types.

Improved identification and handling of code assembly errors

Code assembly error logs are now more meaningful and help you identify root causes with better accuracy. Pega Platform™ now also invalidates erroneous assembly to facilitate successful reassembly when the code is accessed again. For example, if a section is not correctly assembled when a user first signs in to the system, the application attempts to reassemble that section the next time a user signs in. In this way, you can avoid lingering issues and improve stability.