INC-137874 · Issue 599130
Cross-site scripting update for Dev Studio
Resolved in Pega Version 8.3.5
Cross Site Scripting (Cross-site scripting) protections have been added to Developer Studio.
INC-139705 · Issue 595169
Documentation update for Security Settings for DX API
Resolved in Pega Version 8.3.5
Information on the pyDXAPIEncodeValues application setting has been added to the Security Settings for DX API article under the Application settings sub-section. The Pega Platform version that supports the pyDXAPIEncodeValues application setting is mentioned in the Supported UI capabilities article.
INC-148154 · Issue 602921
Hot Fix Manager updated to use installation order for schema import
Resolved in Pega Version 8.3.5
Schema changes were not being imported during the hot fix manager DL import process. Investigation showed this was due to hotfixes in the DL being iterated over from newest to oldest, causing older hotfixes to replace the value added to a map by the newer. To resolve this, the system has been updated to use hotfix install order, which considers selected and dependent hotfixes, rather than ordering newest to oldest. This ensures that newer table representations will override older rather than the other way around.
INC-201713 · Issue 700221
Resolved SSO logout error
Resolved in Pega Version 8.6.5
After configuring prconfig/initialization/Urlencryption/default -> true and prconfig/initialization/SubmitObfuscatedURL/default -> required, logging in to any portal using SSO resulted in a 400 error when trying to log out. This has been resolved by adding a call to the encryption Rule-Utility-Function while calling logoff activity from 'pzSingleLogoutServiceRedirectV2'.
INC-202702 · Issue 713726
Ruleset creation process updated to maintain thread scope
Resolved in Pega Version 8.6.5
On creating a ruleset, the system generated the error "There has been an issue. Please consult your system administrator." If browser cookies and site settings were cleared and the browser was relaunched before logging in and creating a ruleset, the issue did not occur. Investigation showed that the Application page was at the Requestor scope for some of the threads due to handling in the ruleset creation process that removed the Application page and recreated it in the default scope of the thread with the latest state. To resolve this, the process for deleting the Application page and recreating it on the Requestor page has been removed.
INC-212265 · Issue 714015
at+jwt header type support added
Resolved in Pega Version 8.6.5
After upgrading from Pega 7 to Pega 8, using JWT validation in the REST service package with type "at+jwt" resulted in the JSON web token being rejected during signature verification with the error "header "typ" (type) "at+jwt" not allowed". Pega uses the third-party Nimbus jar to generate and verify JWT tokens, and this issue was traced to a difference in the versions of that jar: Pega 7.3 uses the nimbus-jose-jwt 5.1 version jar, while Pega 8.6+ uses the 8.20 jar version. Nimbus rejects at+jwt header types by default from the 8.0 jar version. To resolve this and improve backwards compatibility, at+jwt header type support has been added.
INC-216154 · Issue 718236
SMTPPort parameter will be passed to ForgotPasswordUtil
Resolved in Pega Version 8.6.5
When a user triggered the "Trouble Signing in" function, the SentEmailNotification activity connection was trying to use port 25 even if the SMTP Port was configured as 587 in the Email Account instance. This was due to the SMTP Port not being passed to the SentEmailNotification activity, causing a fallback to port 25 for non-SSL connections. In order to ensure SendEmailNotification uses a specified port if configured, pySMTPPort will be passed to ForgotPasswordUtil.java.
INC-217461 · Issue 714310
Key ID made optional for JWT
Resolved in Pega Version 8.6.5
After update, Connect-REST services were failing with a Admin_Security_Token.Action error. This was traced to kID (key ID) being mandated following previous work done to address an issue. To resolve this and better support backwards compatibility, the kID has been made optional in the JWT header.
INC-219208 · Issue 717217
Updated OAuth2 registration handling for modified application definition
Resolved in Pega Version 8.6.5
After update, attempting to resave an application definition after any modification resulted in the error "Application OAuth2 client registration is failed. Error Message: PegaApp_XXBase:Client already exists". This was due to pxCreateRecord being called to create the authentication profile: as it was already present, it failed to create a new one. This has been resolved by changing pxCreateRecord to Obj-Save in this process. This change will only be applied on newly created applications using the Data-Application-OAuth2ClientRegistration instance. The solution for already exported applications is to delete the corresponding OAuth2 client (PegaApp_<application id>) and resave the application to create a new client along with the needed metadata.
INC-222213 · Issue 722507
Updated support for Client Assertion in Open ID Connect to generate unique JTI
Resolved in Pega Version 8.6.5
Following an update with an enhancement which added UI and code changes to support Client Assertion in Open ID Connect, the token expiry and issue dates were not getting set properly and the JTI was not getting generated. This has been resolved by adding code to generate a unique client_assertion on OIDC login with private_key_jwt so the JTI in client assertion will be be unique for every login.