Published Release Notes

Tamper-proof Pega Web Mashup loading

To protect your application from hackers, Pega Web Mashup is now loaded in a more secure way. The system generates a channel ID in the mashup code for validation on the server, before passing the mashup request. 

For more information, see Creating a mashup.

Upgrade impact

After an upgrade to Pega Platform 8.5, existing mashups, which do not have the channel ID parameter in their code, cannot load and users see the access control warning.

What steps are required to update the application to be compatible with this change?

If you need to maintain full availability of the mashup during the upgrade of the production environment, perform the steps in Migrating existing mashups.

Behavior changes when reporting on descendant classes

Report Definitions that use the Report on descendant class instances option with the Include all descendant classes option apply only to the Applies to Class. Join classes are not included as they were in previous Pega^® Platform versions. The following example shows what happens for each possible scenario for Report on descendant class instances when the report is defined on ClassA with a class join with Work-.

• If Report on descendant class instances is disabled, the report runs against ClassA and the join happens with Work-. The behavior is the same in Pega 7.3.1 as it is in previous Pega Platform versions.
• If Report on descendant class instances is enabled, and Include single implementation class is selected, the report runs against ClassA and the join happens with the MySampleClass implementation class. The behavior is the same in Pega 7.3.1 as it is in previous Pega Platform versions.
• If Report on descendant class instances is enabled, and Include all descendant classes is selected, the report runs against ClassA and its descendants and the join happens with Work-. In previous Pega Platform versions, the join happened with the MySampleClass implementation class.

Automatic separation of date input

Date fields in Date Time controls now automatically divide strings of input into days, months, and years. In single fields, the system adds slashes (/) as the user types the value. For example, an input string of 10102020 becomes 10/10/2020. In separate day/month/year fields, the system automatically switches from one field to the next as the user types the value. This enhancement improves the user experience by helping to users provide input in a more convenient and time-efficient manner.

For more information, see Configuring a Date Time control.

Improvements to OAuth 2.0 Services with Token Introspection Service and Token Denylist Service

Increase the security of user sessions by using the newly supported Token Introspection and Denylist services for OAuth 2.0.

Token Introspection service

Use the Token Introspection service to validate JSON Web Tokens (JWT). The Token Introspection service requires authentication. 

Pega now uses OAuth 2.0 access tokens called Authorized Access Tokens (AAT). 

Token Introspection service endpoint

The Token Introspection service endpoint provides the information about the status of access token and refresh token. Token introspection can be used to validate if a given token is still active or inactive. The token introspection endpoint determines whether the token is valid. The status indicates whether an access token or refresh token is valid or invalid: 

• Valid tokens have the “active”:true status
• Invalid tokens have the “active” :false status.

The inactive status can also be due to revocation. 

Token Denylist service

You can add tokens to the deny list in cases where suspicious activity might have occurred. The Token Denylist service provides a method for denying user access to the application by revoking the user's access token. This service can prevent a token from being used more than the specified number of times, which can be helpful in preventing replay attacks. Stolen tokens should be revoked using this service. A GET API is also available to get the list of denied tokens.

Keys endpoint

Pega Platform™ is changing from using opaque tokens to JSON Web (JWT) tokens. If this JWT is used by any other system, the public key is needed for signature verification. A new endpoint is exposed to provide these public keys in JWK format: https://host:port/prweb/api/oauth2/v1/token/keys.

For more information, see OAuth 2.0 Management Services.

Support for custom database tables in external Cassandra clusters

Pega Platform™ now supports a connection to external Cassandra clusters through a dedicated Database Table data set, which reduces the need for data ingestion and export. You can use custom tables that you store in your external Cassandra cluster in data flows for accessing and saving data. You can access your custom data model by mapping the model to a Pega Platform class.

For more information, see Connecting to an external Cassandra database through a Database Table data set.

Usability improvements to Admin Studio

Admin Studio offers a variety of usability enhancements, including:

• New access groups to differentiate between full and read-only access to Admin Studio
• A Java class lookup utility
• A requestor list for the logged-on operator
• The ability to display system node type in the logs

Also, if your environment uses Predictive Diagnostic Cloud (PDC), the Admin Studio overview page now includes a link to PDC.

For more information, see Managing requestors.

Search and Reporting does not index large items

When using the Search and Reporting (SRS) microservice in Pega Platform™ 8.5, you might encounter problems with indexing large out-of-the-box rules. The issue is not visible in Queue Processors, but you can access logs to verify which items the system does not index.

Enable users to save charts as .png files

You can now enable users to save a report chart as a .png file. On the Chart tab of the Report Definition rule form, click General settings and select the Export chart to image check box. When you select this option, users are provided with the Save as image option, which they can use to save an image of the chart to include in a Word document or email.

For information about including a chart in a report, see Adding or editing charts from the Report Definition rule form.

Create and view application settings in App Studio

View your application settings on the new Application settings landing page in App Studio. The landing page displays the categories that you specified for your application settings. If you did not specify a category for an application setting, the application setting appears in the Uncategorized category. Additionally, when you create a new data type, the Data type wizard automatically creates an application setting for the base URLs and the authentication profile. On the Environment settings page, you can edit the application setting to specify a new name or category or accept the default values.

For more information, see Viewing application settings in App Studio and Preparing your data for production.

Upgrade impact

After a successful upgrade, you see the new Application Settings option under Settings in App Studio. 

What steps are required to update the application to be compatible with this change?

1. If the label (Application Settings) conflicts with your existing extension, change the label by overriding the following field value:
   PEGA-EXT- EXPEXPLORER-SETTINGS-APPSETTINGS PYCAPTIONIEXTENSION!LABEL
2. If you need to disable the landing page and prevent it from appearing in App studio, change the following toggle to No:
   PegaRULES: DisableSettingsLandingPage

Automatic management of run-time context for background processing

Management of system run-time context is now automatic. You no longer need to manually modify the AsyncProcessor requestor type context to make a queue processor or job scheduler work after importing or upgrading an application. Additionally, you do not need to manually modify the AsyncProcessor requestor type context to make new queue processors and job schedulers work.

For more information, see System general landing page and Automating the runtime context management of background processes.

Upgrade impact

After upgrade, you manage the runtime context of your background processing in System Runtime Context instead of in the deprecated AsyncProcessor requestor type.

What steps are required to update the application to be compatible with this change?

Select the Include in background processing option in the Advanced section of the application rule form for all applications that use background processing (such as Job Schedulers and Queue Processing). When this option is enabled, the system automatically includes the rulesets (for the application and its components) in System Runtime Context used for resolving and running Queue Processors and Job Schedulers. Also, when the option is enabled, the application is placed on the System Runtime Context list during application rule saves (such as during application import and migration).