SR-C53056 · Issue 398514
Bulk delete updated and NPE handling improved to resolve deadlock when loading data flow landing page
Resolved in Pega Version 8.2
A large number of data flow objects on the data flow landing page were making the system unresponsive, and bulk delete activity would sometimes fail on a null pointer exception when progress could not be retrieved. To resolve this, the bulk delete activity provided in [Data-Decision-Service] pyDeleteByStatusAndTime has been modified to be more flexible by allowing deletions based only a date or a status, and the documentation for the activity itself has been improved. Additional handling was added for a potential null pointer exception, and the activity will continue trying to delete other runs if a null pointer exception does occur. The system will not load a data flow run object anymore (which can cause issues when rules do not exist), and will instead load the run progress directly from the database.
INC-215343 · Issue 711143
Security updates
Resolved in Pega Version 8.8
Security updates have been made relating to rulesets using allow lists, checks for Java code injections, SAML-based SSO code, and supporting SFTP as part of the validation in the pxValidateURL rule.
SR-C50324 · Issue 393499
Synchronized block method added to load keystore set with RUF
Resolved in Pega Version 8.2
A recent enhancement allows for the SAML auth service to use a reference to an external file for the signing certificate keystore. When the keystore had the password set using a Rule-Utility-Function, rather than being static, there were intermittent login fails with the error "unable to process SAML WebSSO request1" on the screen, and the RULES logs contained thousands of entries of an error indicating "Password is wrong". It was sometimes possible to log in by starting a new browser sessions and trying again. This was an issue with the PasswordHash property being changed from a static to a non-static field: it was not thread safe, though each object got its own copy of the instance, because if two or more threads call the setPasswordHash() method on the same object, all of these threads tried to simultaneously update the passwordHash instance variable and incorrect results were seen. To correct this, the system will use a synchronized block when loading the entries into cache in the getKey() method - Caller function of KeystoreCacheImpl.java.
SR-C46537 · Issue 395372
Code added to format location header for redirect response in IE
Resolved in Pega Version 8.2
When using Internet Explorer, authentication was working but the portal did not load. This was traced to IE mandating the presence of a location header in the response: an HTTP 303 "See Other Response" was being returned along with the initial portal HTML payload, but recent modifications to SAML 2.0 to use the PRAuth Servlet were missing this specific redirect case. To resolve this, generic code has been inserted that adds the location header in all redirect cases.
INC-214974 · Issue 721179
Documentation updated for accessing D_pyUserInfoClaims
Resolved in Pega Version 8.8
When logging in using Org Credentials, trying to get the user details from D_pyUserInfoClaims did not return any information. This was due to the D_pyUserInfoClaims datapage being available only after authentication, so the claims information was not available during operator provisioning. The documentation located at https://docs.pega.com/security/88/mapping-operator-information-openid-connect-sso-authentication-service has been updated to include the following note: "This page becomes available and can only be accessed post authentication."
INC-211426 · Issue 706059
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.8
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.
INC-216053 · Issue 716445
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.8
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.
SR-D45608 · Issue 519902
Correct service instance name passed for data flow in DSMStatus
Resolved in Pega Version 8.1.8
When using the Connect-HTTP service "DSMStatus" to provide the node and status information as seen on the various tabs of the Designer Studio > Decisioning > Infrastructure > Services landing page, using DataFlow as the service parameter for the HTTP service method resulted in an empty response when the expectation was to get the information regarding the cluster details of Dataflow node type. This was traced to the service instance name not being parsed correctly when used for Data Flow services, and has been resolved by ensuring the correct service instance name is passed for this use.
INC-176138 · Issue 723084
Performance improvements for save-as
Resolved in Pega Version 8.8
Performance issues were seen when using save-as for rules such as Declare expression, When rules, activity, etc. This was traced to a very large number of extra database queries that were being executed while building the Declarative Cache. To resolve this, an update has been made so the queries used for the Declarative Cache will only be executed when required.
INC-198555 · Issue 720899
Performance improvements for save-as
Resolved in Pega Version 8.8
Performance issues were seen when using save-as for rules such as Declare expression, When rules, activity, etc. This was traced to a very large number of extra database queries that were being executed while building the Declarative Cache. To resolve this, an update has been made so the queries used for the Declarative Cache will only be executed when required.