SR-B38602 · Issue 296751
Login error message modified for increased security
Resolved in Pega Version 7.3
When an operator was configured to use External authentication and then attempted to login through other servlets, the error message included the operator ID. This could be used maliciously to discover valid IDs on the system, so in order to improve security, the process has been modified to remove the ID from the failure message. If authentication fails, the message "The information you entered was not recognized." will be displayed and the system will log an error message in the PegaRULES log file with the actual message "Error authenticating , : This user must use external authentication."
SR-B38602 · Issue 297290
Login error message modified for increased security
Resolved in Pega Version 7.3
When an operator was configured to use External authentication and then attempted to login through other servlets, the error message included the operator ID. This could be used maliciously to discover valid IDs on the system, so in order to improve security, the process has been modified to remove the ID from the failure message. If authentication fails, the message "The information you entered was not recognized." will be displayed and the system will log an error message in the PegaRULES log file with the actual message "Error authenticating , : This user must use external authentication."
SR-B38647 · Issue 297399
ServiceExport folder access restricted for guest users
Resolved in Pega Version 7.3
In order to increase data security, access to the 'ServiceExport' folder has been blocked for Guest users (Un-Authenticated users who have pre-atn cookie) on single-tenant sites. Once the user is logged in with valid credentials, the folder contents will be available. For backward compatibility the PRConfig setting 'serviceexportcontent/allowtoguestusers' has been added; if set to true then guest users will have access. The default is false.
SR-B39489 · Issue 290738
KeyStoreType of PKCS12 passes validation
Resolved in Pega Version 7.3
Keystore has an allowed file type of PKCS12, but an invalid type error was generated when trying to create a keystore file of this type. This has been corrected.
SR-B39528 · Issue 303228
Node startup modified to support very large clusters
Resolved in Pega Version 7.3
Node startup was failing if the cluster had more than 50 nodes. This issue was caused by the query to the "pr_sys_statusnodes" table only returning 50 records; this limitation has been removed.
SR-B40059 · Issue 296152
IACAuthentication security improved
Resolved in Pega Version 7.3
The IACAuthentication activity assumed third party authentication and did not check for a password. In order to improve security, default password validation has been added to the shipped IACAuthentication activity.
SR-B40657 · Issue 298764
Clarified database privileges to start Pega
Resolved in Pega Version 7.3
The documentation has been updated for clarity regarding database privileges for start up. The text "Pegasystems recommends that you create an Admin user separate from the Base user; however, if you opt for a single Base user, grant these permissions to the Base user" has been modified to read: "Pegasystems recommends that you create an Admin user separate from the Base user; however, if you opt for a single Base user, grant the Base user both sets of privileges listed above."
SR-B41874 · Issue 301766
View parsing regex fixed for union statements
Resolved in Pega Version 7.3
While importing jar file through import out-of-the-box, generated SQL Scripts from the manual option system had scripts which were already present in the Database. This was caused by the view parsing regex not handling UNION statements, and has been corrected.
SR-B42009 · Issue 304044
Authentication timeout smoothed for re-login
Resolved in Pega Version 7.3
If custom authentication was used with a stream specified to enter credentials upon authentication timeout, re-login failed after the timeout. This was traced to two issues: first, the custom configuration defaulted to using the out-of-the-box stream "Web-TimeOut", which expects the password to be in base64 encoded format and so attempts to base64 decode it. This caused an authentication failure. Second, when restarting with authentication instead of a timed-out request, the starting activity of operator was being executed and the portal was rendered unexpectedly. To resolve this, the object references needed for the successful resumption will be cloned when there is authentication timeout and used for redirection upon successful authentication.
SR-B42911 · Issue 301591
Tomcat config documentation clarification
Resolved in Pega Version 7.3
The documentation for using Tomcat has been updated for clarity. Step 2b of 'Configuring Tomcat by editing the context.xml file' indicates that configuration of the Admin datasource is optional (which it is), but steps 3 and 4, which use this datasource, were not labeled as conditional on 2b. As a result, those opting not to use the admin datasource believed those settings needed to be added. In the new text for steps 3 and 4, the clarification "For dual-user configurations only, insert..." has been added.