SR-D96395 · Issue 555117
CDK key loading modified for better database compatibility
Resolved in Pega Version 8.3.3
Users were unable to log on to the system and received the error "There has been an issue; please consult your system administrator." Investigation showed the log errors stating "(dataencryption.DataKeyProvider) ERROR localhost - Could not get CDK from systemKeyManagementCache - System CDK is null". This was an issue specific to the MS SQL Server database when there were 6 or more CDKs in the database: CDK keys are loaded from database into Cache using an SQL statement which had the ORDER clause. By default, the ORDER clause treats NULL values differently on different databases, and this caused MS SQL databases to not load a necessary CDK key. To resolve this, the SQL query has been modified so the result will be the same for all supported daatbases (Oracle, Postgres & MS SQL Server).
SR-D79181 · Issue 551123
OKTA receives parameters on logout
Resolved in Pega Version 8.3.3
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the database, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.
SR-D64566 · Issue 547513
Option added for redirect to SAML IDP on logout
Resolved in Pega Version 8.3.3
An enhancement has been added which provides a check box to choose to redirect to SAML IDP on logout from Pega.
SR-D75498 · Issue 545068
Resolved null-pointer exception for Token based Authenticated Rest
Resolved in Pega Version 8.3.3
When logging in with auth0 OIDC auth service and then trying to use connect-Rest with an authentication profile using an auth0 provider, a null pointer error was generated indicating connect-Rest could not find the Access token. Even thought the Authentication service (OIDC) and authentication profile (authorization grant) both had the same scopes (“openid profile email”), OIDC flow and authentication profile save the Access Token with different scopes. Specifically, OIDC saves the token with an extra trailing space. Handling has been added to correct this.
SR-D92837 · Issue 551004
SameSite cookie setting updated for pre-authentication
Resolved in Pega Version 8.3.3
In work done in previous versions to modify the SameSite cookie handling to support Mashups in Google Chrome v80+, SameSite was set to None only in case of an authenticated Pega-RULES cookie and not for a Pre-authenticated cookie. That caused the Samesite value to not be set when using a pre-authenticated cookie, and the blank value was treated as 'Lax', causing a login challenge. To resolve this, Samesite will be set to 'None' when using pre-authenticated cookie, which will match the way it is being set in authenticated cookie.
SR-D90452 · Issue 551808
SSOPreAuthenticationActivity runs until success
Resolved in Pega Version 8.3.3
When a user visited a public-facing application via a Single Sign-On (SSO) URL that redirected to SAML IDP for authentication, the first time the URL was hit the system correctly executed pySSOPreAuthenticationActivity as part of pre-authentication to determine if authentication is possible/allowed. If the pySSOPreAuthenticationActivity set the pyAuthenticationPolicyResult to 'false', authentication was not allowed: the user was not redirected to the IDP and an error message was shown. However, if the same URL is hit again after that rejection without any changes, the user was redirected to the IDP for authentication because the preauthentication activity was not run again. This has been resolved by updating the system to continue to call the pre-authentication activity for the SSO URL until a success status is returned by the activity.
INC-145293 · Issue 674901
Additional diagnostic logging added for ElasticSearch startup issues
Resolved in Pega Version 8.7
The PyIndexerState was stuck in Starting status during node initialization. This issue could occur if the filesystem became hung due to network level issue while scanning entries from /etc/mtab, resulting in a lock which was not released correctly. In order to better determine which node entry in a cluster may be responsible for the hang, an update has been made which will use a temporary virtual environment to repeat the part of the initialization phase responsible and generate additional logs for debugging. To activate this, the PegaSearch.Diagnostics logger must be set in DEBUG mode. This duplicated virtual initialization will not interrupt the normal initialization.
INC-153849 · Issue 641925
Updated replica management for search clusters
Resolved in Pega Version 8.7
When using a cluster with two Universal nodes in the cluster, a daily restart process where the second node was not started until the first was fully up resulted in Search initialization failing for the first node while becoming active on the second node. This was traced to the methods used in increasing and decreasing replicas. This has been resolved by revising the handling of ElasticSearch node lifecycle and replicas through a new option "Dindex.searchNodeCount " which includes a specification for the number of expected search nodes. If this option is not present, the old method will be used.
INC-160190 · Issue 658125
Logic updated to allow page property and declare index with the same name
Resolved in Pega Version 8.7
A Property which was in a Pagelist which in turn was embedded in a Page was not visible in the Report Browser. This was traced to the two properties sharing the same name, and was caused by a check which ensured only entries with unique names were added. In order to support this configuration, logic has been added to pzAddPropListForClass_TreeGrid such that if a page property and declare index share the same name, they are both added to the tree grid.
INC-162649 · Issue 639400
DSS added for handling missing attachments
Resolved in Pega Version 8.7
When an S3 repository was configured as storage, some cases were not coming up in search and exception errors were seen in logs for a deleted attachment after every system restart/re-indexing of the search. Investigation showed these case objects were in the broken queue for pyFTSIncrementalIndexer due to a null pointer error encountered when indexing the attachment, and that the attachments were available in the repository but could not be read from the attachment repository during indexing. To resolve this, a new DSS setting has been added which allows selecting one of two behaviors: * Pega-SearchEngine indexing/distributed/fail_on_missing_attachment_file = true : broken item is generated, but with a meaningful error message. This is the default behavior * Pega-SearchEngine indexing/distributed/fail_on_missing_attachment_file = false: case is indexed, but without the problematic attachment. Error message is printed out to the logs.