SR-D46681 · Issue 514433
SnapStart supports SAML2 Authentication
Resolved in Pega Version 8.2.5
When using an HTTP Post to SnapStart into Pega using PRCustom style or PRAuth style SAML authentication, the login was looping back to the login request. Investigation showed that the Pega ACS was posting data properly back to the RelayState URL, however the login activity was not getting the SAMLResponse and simply sent a SAML Login Request again. This has been fixed by updating reqContextURI in case of SAML2 Authentication service so pyActivity=value will be passed.
SR-D38318 · Issue 515960
Data pages explicitly cleared after QP use
Resolved in Pega Version 8.2.5
The Util Node was showing as Offline in the Search Landing Page, and when Jobs were submitted for execution from other Nodes the message "Detected active run with unreachable nodes" was logged. The util node, configured as a backgroundprocessing node, was running QPs, the queue size for custom QPs is 500 messages /queue items per minute, but investigation showed the requestor level and thread level data pages corresponding to the QP activities were not being cleared after use. This led to high heap memory issues that made the node unreachable, and has been resolved by adding code to explicitly remove the data pages when processing has finished.
SR-D51554 · Issue 514061
Local UUID cache will be updated when merge event is detected
Resolved in Pega Version 8.2.5
Cluster-related issues were seen in multiple production clusters. For some nodes in the cluster the Cluster Management screen showed all expected nodes with valid Node IDs displayed, and on other nodes the Cluster Management screen showed the node ID of itself, SERVER@localhost:5701. On an impacted node displaying the wrong ID, the Node Information landing page did not work and displayed the error "Unable to execute job on ." Multiple advanced agents running on nodes in the affected clusters, both with correct and incorrect IDs, also failed with a similar error "Unable to execute job on <node's job id>". This was traced to a merge performed after a split brain. To resolve this, the code has been updated to handle merge events: when the node UUID is changed as part of a split brain recovery, the local UUID cache will be updated when the merge event is detected.
SR-D37894 · Issue 505975
Query parameters will be cleared after redirection from authentication
Resolved in Pega Version 8.2.5
When using the /PRAuth Servlet, running a snapstart URL generated from a secondary application correctly executed SAML Authentication and Pega processing, but a second URL generated with different parameters ran with the parameters from the first request. The third and subsequent requests processed as expected with the parameters sent in with the request. Investigation showed that the previous parameters were picked due to the query string parameters not being cleared after redirection, and this issue has been resolved by updating the system so it will clear the parameters after issuing a redirect from the authentication policy engine.
SR-D78274 · Issue 544091
Handling added for dual privileges with MSSQL
Resolved in Pega Version 8.3.3
After setting up dual privileges, the Admin user was able to create a table but the base user received an "insufficient privileges" error. Investigation showed this was an issue when using MSSQL: the generated grant statements used the server login name as the user in the grant statement, instead of the database user. For all other databases, the username passed into the connection is the correct user to use for grants. Only MSSQL has a distinction between this connection user name (the login) and the database user, and since the login did not exist in the user table, the grant failed. To resolve this, when MSSQL is used, the system will fetch the underlying database user when determining the user for grant statement generation.
SR-D32972 · Issue 513488
HTML entity handling added to URLObfuscation
Resolved in Pega Version 8.2.5
When URLObfuscation was enabled through the configuration settings, clicking on Operator -> Profile page generated an ArrayIndexOutOfBoundException. When obfuscation is used the decrypted string is parsed and the request map is populated, but HTML entities were not considered during this process. To resolve this, handling has been added for HTML entities and characters during obfuscation. Please note: URL Obfuscation is a legacy feature with many known limitations and it is no longer recommended that these settings be used.
SR-D89002 · Issue 549102
SameSite cookie setting updated for pre-authentication
Resolved in Pega Version 8.3.3
In work done in previous versions to modify the SameSite cookie handling to support Mashups in Google Chrome v80+, SameSite was set to None only in case of an authenticated Pega-RULES cookie and not for a Pre-authenticated cookie. That caused the Samesite value to not be set when using a pre-authenticated cookie, and the blank value was treated as 'Lax', causing a login challenge. To resolve this, Samesite will be set to 'None' when using pre-authenticated cookie, which will match the way it is being set in authenticated cookie.
SR-D70872 · Issue 545856
Kerberos authentication parameters propagated for deployment
Resolved in Pega Version 8.3.3
Attempting to perform a deployment using Kerberos authentication to an Oracle database failed with an authentication error. This was traced to the java system properties (for example, -Dname=value) required by the Oracle JDBC driver for Kerberos authentication intermittently not being set when connections were being made to the database. When they were not being set, the connection would fail due to authentication. This has been resolved by ensuring the java system properties (-D's) that were provided to the 'custom.jvm.properties' property in the collection of deployment related *.properties files are being propagated to every part of the deployment scripts.
SR-D77956 · Issue 547256
Column type configured correctly in Care Management
Resolved in Pega Version 8.3.3
When using database tables for concrete class groups with the column pyassignedoperator as character type without size, upon installation on higher environments the message "ERROR: length for type char cannot exceed 10485760 for colum "pyassignedoperator" CHAR (2147483647)" appeared. As a workaround it was possible to manually change the column type, but this issue has been resolved by updating the handling of BPCHAR types while cloning the table. BPCHAR type will be taken as CHAR.
SR-D64523 · Issue 545670
Stream Registration deprecated and replaced
Resolved in Pega Version 8.3.3
Previously, Stream Registration, which was added as an extra layer of protection during the display of stream rules, automatically registered any streams being used in the context and checked this registry during reloadSection/reloadHarness calls to prevent Broken Access Control attacks. However, only an alert was thrown and no further action was being taken on it. With platform added support for URL Tampering, Stream Registration is no longer required and has been deprecated. The URL Tampering function has the capabilities to register for auto/non-auto rules and configure whether to display warning or reject the request for all the activities, and not just the stream rules. Note that URL Tampering will do registration/validation only when security/rejectTamperedRequests is explicitly set to true.