INC-216894 · Issue 712241
Refresh added to limit commit log partition size
Resolved in Pega Version 8.6.4
Issues were seen on DDS nodes, including slowness and randomly dropping out and being replaced by new nodes. WARN messages in Cassandra logs reported issues relating to a large partition size of adm_response_commit_log_date_tiered table. Investigation showed the large partition size (over 10GB) was causing frequent C* query timeouts due to scanning a large number of tombstones, resulting in node terminations. This has been resolved with an update which will limit the commit log partition size by refreshing the NID every set interval.
INC-164432 · Issue 696294
Global obfuscation key initialized on first requestor call
Resolved in Pega Version 8.6.4
When using URLEncryption = true and SubmitObfuscatedURL = optional, attempting to export an Excel spreadsheet resulted in the error "Invalid character found in the request target". This was traced to the variable pega.d.globalobfuscateKey having a null value which was then converted to a byte array and decoded, generating improper characters in the URL. After a browser refresh, the correct value was set in pega.d.globalobfuscateKey and the export worked as expected. To resolve this, an update has been made to initialize the key on the very first call in PRRequestorImpl when the global obfuscation key is determined to be NULL instead of initializing the global obfuscation key by on-demand basis from HTTPAPI.
INC-182827 · Issue 691528
URL security updated
Resolved in Pega Version 8.6.4
Security has been updated for URL tampering defense and Rule Security Mode.
INC-209298 · Issue 704141
Added security tokens to Worklist assignment error wizard
Resolved in Pega Version 8.6.4
After enabling CSRF, moving to 'Configure -> Case Management -> Tools -> Work Admin -> Worklist assignment errors' and then selecting a record and clicking on 'Delete' resulted in a '403 Forbidden' error. This has been resolved by adding CSRF and fingerprint tokens as part of the form data.
INC-211426 · Issue 706061
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.6.4
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.
INC-215343 · Issue 711141
Security updates
Resolved in Pega Version 8.6.4
Security updates have been made relating to rulesets using allow lists, checks for Java code injections, SAML-based SSO code, and supporting SFTP as part of the validation in the pxValidateURL rule.
SR-133183 · Issue 205535
Fixed flow line distortion in Process Modeler
Resolved in Pega Version 7.1.9
When clicking through to a subprocess from a parent flow (by clicking the + sign in the blue subprocess shape), flow lines in the subprocess were shown in a distorted fashion. When opening the same flow in a separate tab (by right clicking the blue subprocess shape and selecting Open Flow) the flow lines were correctly painted. This was an issue caused by the different renderings of the flow depending on whether there was a click through to it (with the + on the parent flow?s subprocess shape), or the subflow was opened in a separate tab (with open Flow). After the Process Modeler saved and checked-in the flow, the connector lines were re-drawn in ways that were non-intuitive and hard to interpret due to the edge routing in PM being calculated off incorrect input data that was taking into account shapes that were not represented on the screen. To fix this, the system now ensures the edges are routed without taking into account any shapes not represented on the canvas.
SR-133184 · Issue 203710
Fixed flow line distortion in Process Modeler
Resolved in Pega Version 7.1.9
When clicking through to a subprocess from a parent flow (by clicking the + sign in the blue subprocess shape), flow lines in the subprocess were shown in a distorted fashion. When opening the same flow in a separate tab (by right clicking the blue subprocess shape and selecting Open Flow) the flow lines were correctly painted. This was an issue caused by the different renderings of the flow depending on whether there was a click through to it (with the + on the parent flow?s subprocess shape), or the subflow was opened in a separate tab (with open Flow). After the Process Modeler saved and checked-in the flow, the connector lines were re-drawn in ways that were non-intuitive and hard to interpret due to the edge routing in PM being calculated off incorrect input data that was taking into account shapes that were not represented on the screen. To fix this, the system now ensures the edges are routed without taking into account any shapes not represented on the canvas.
SR-131072 · Issue 203709
Requestor token creation added for PRExternal authentication
Resolved in Pega Version 7.1.9
When using a PRExternal authentication scheme, the csrfsession requestor token was not created. This caused a heavy volume of INFO logging messages in production due to the null token. This authentication path has now been added and the token will be correctly created for use.
SR-131691 · Issue 202207
Improved performance for incorrect password handling
Resolved in Pega Version 7.1.9
When the operator entered the wrong password in the login screen, numerous "Stream Overwritten" alerts appeared the Alert log. There was no workflow problem involved, but the logging indicated that there was an additional unnecessary call being made to Stream Web-Login, and that unneeded call has been removed to improve system performance and remove the error being logged.