INC-173162 · Issue 650795
Certificate match will use Subject Distinguished Name
Resolved in Pega Version 8.7
Signature verification was failing due to the system not finding the matching root certificate for the chain. The root certificate was in the trust store, but the system found a different certificate first and that other certificate (an intermediate certificate) was not considered a valid certificate for validating the whole certificate chain. This was traced to filtering on the Issuer Distinguished Name (DN) instead of the Subject DN and was due to intermediate certificates potentially having the same Issuer as a root certificate (e.g. if that root certificate was used to create the intermediate certificate). To resolve this, an update has been made to check the Subject DN instead of Issuer DN.
SR-D38318 · Issue 519710
Data pages explicitly cleared after QP use
Resolved in Pega Version 8.2.6
The Util Node was showing as Offline in the Search Landing Page, and when Jobs were submitted for execution from other Nodes the message "Detected active run with unreachable nodes" was logged. The util node, configured as a backgroundprocessing node, was running QPs; the queue size for custom QPs is 500 messages /queue items per minute, but investigation showed the requestor level and thread level data pages corresponding to the QP activities were not being cleared after use. This led to high heap memory issues that made the node unreachable, and has been resolved by adding code to explicitly remove the data pages when processing has finished.
INC-174625 · Issue 655242
Admin Studio will consider cluster protocol when returning listener status
Resolved in Pega Version 8.7
When using a few nodes in standalone mode for BIX extract combined with server nodes using Hazelcast, opening the admin studio pages with service discovery caused an error to be thrown. This was traced to the system writing an entry to pr_sys_statusnodes table as an embedded node whenever a BIX extract was triggered, causing those standalone nodes to be incorrectly considered by the listener landing page. This has been resolved by configuring the system to either return the local member when the cluster protocol is standalone or to return all Hazelcast members if the cluster protocol is Hazelcast.
INC-181941 · Issue 664808
Handling added for using virtual network interface for Stream Services startup
Resolved in Pega Version 8.7
After update, the restart of any node failed with the error "Unable to create DSM service DATA-DECISION-SERVICE-STREAMSERVER DEFAULT". This has been resolved by adding support for allowing stream service to start on the virtual network interface in cases where it was explicitly configured via the "cluster/hazelcast/interface".
SR-D63727 · Issue 531724
Authorization header base 64 format error recategorized as debug logging
Resolved in Pega Version 8.2.6
Numerous messages were generated indicating that the Authorization Header format was invalid when using the format " : " (Base64 Og==) . As this is the default behavior for a particular class of proxy servers, the error statement has been updated to be logged as a debug statement and will be visible only when that logging is enabled.
INC-196447 · Issue 684644
Enhancements added for external Kafka Stream Service
Resolved in Pega Version 8.7
To ensure data privacy when using multi-tenant Stream Service hosted on a single Kafka cluster, access will be authorized based on ACLs when a tenant sends direct requests to Kafka. In addition, all Kafka resources (topics and consumer groups) are now able to contain a prefix naming convention which can be used for tenants. This is handled through using a <env name="services/stream/name/pattern" value="{tenant.name}-{environment}-{stream.name}"/> prconfig setting to set the stream name pattern. For example, if the tenant.name is resolved into "companyname", environment into "prod1", and the stream dataset name is pyFTSIncrementalIndexer, then the Topic name created on the external Kafka will be companyname-prod1-pyFTSIncrementalIndexer.
SR-D64608 · Issue 544387
Corrected filedownload extension header issue
Resolved in Pega Version 8.2.6
Filedownload header contained plain non-ascii characters which caused a security violation issue. This has been resolved by removing the filedownload header from the HTTP response when the sendfile API is used with inputstream to download a file.
SR-D51324 · Issue 523434
Authentication state refreshed after failure in mobile
Resolved in Pega Version 8.2.6
When using the mobile app, if the log in was started and incorrect credentials or empty fields were submitted and then the credentials screen was X-ed out or canceled, attempting to log in again using the correct information still received the "Authentication failed" error. A subsequent attempt with the correct credentials would then work. This was traced to the server persisting the state from the first request (per browser session), and has been resolved.
SR-D53835 · Issue 524213
Handling added for custom authentication in embedded mashup
Resolved in Pega Version 8.2.6
After embedding the Mashup gadget in an external application, at browser refresh a Cross-Origin Read Blocking (CORB) warning appeared and the gadget did not load as expected. A second refresh cleared the error. Investigation showed that when custom authentication is configured, 'use SSL' is checked in Authentication service. That meant that when the user was authenticated, the redirection was not considering the query string entered before authentication and the CORB warning was issued due to a change in response. Because there is special handling for the above use case and post-authentication redirection does not happen through the normal flow (HttpAPI), this issue has been resolved by honoring the query string stored in requestor (entered by user) while redirecting.
INC-196415 · Issue 686313
Performance improvements for revalidate and save
Resolved in Pega Version 8.7
In order to improve performance when working with very large numbers of class definitions, an update has been made to optimize the revalidate and save process by avoiding looking up all classes on the system instead using ClassDefinition for existence and checking ancestor data to ensure class is a Rule- or Data- descendant.