INC-215343 · Issue 711143
Security updates
Resolved in Pega Version 8.8
Security updates have been made relating to rulesets using allow lists, checks for Java code injections, SAML-based SSO code, and supporting SFTP as part of the validation in the pxValidateURL rule.
INC-216053 · Issue 716445
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.8
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.
INC-216154 · Issue 718234
SMTPPort parameter will be passed to ForgotPasswordUtil
Resolved in Pega Version 8.8
When a user triggered the "Trouble Signing in" function, the SentEmailNotification activity connection was trying to use port 25 even if the SMTP Port was configured as 587 in the Email Account instance. This was due to the SMTP Port not being passed to the SentEmailNotification activity, causing a fallback to port 25 for non-SSL connections. In order to ensure SendEmailNotification uses a specified port if configured, pySMTPPort will be passed to ForgotPasswordUtil.java.
INC-217461 · Issue 714309
Key ID made optional for JWT
Resolved in Pega Version 8.8
After update, Connect-REST services were failing with a Admin_Security_Token.Action error. This was traced to kID (key ID) being mandated following previous work done to address an issue. To resolve this and better support backwards compatibility, the kID has been made optional in the JWT header.
INC-219054 · Issue 718871
Data key rotation update
Resolved in Pega Version 8.8
After creating a new Azure vault keystore, attempting to force data key rotation produced the error "Unable to save keystore metadata". This has been resolved with an update to use the same master key ID as the old keystore in cases where the master key ID is the same.
INC-219086 · Issue 724268
Keypair handling updated
Resolved in Pega Version 8.8
Rest API calls were failing with invalid token error in production due to the keypairs used to encrypt the access token being different for each node. This happened when the keypair cache was maintained at node level instead of being retrieved from a database each time; when a keypair expired, a new keypair was created for each node instead of sharing one because the updates to keypair were not properly communicated among the nodes. To resolve this, a check has been added to see if a new keypair is already available in the database before creating a new keypair, handling has been added for any DuplicateKeyException that might occur while saving a keypair to the database, and a pxCreateDateTime has been added while storing the new keypair in the database. Please also note that the default key rotation period is now 180 days and can be adjusted through the setting AccessToken/KeyRotationInterval.
INC-220928 · Issue 739155
Added handling for Node Level Data Pages not loading automatically
Resolved in Pega Version 8.8
After update, the MQ listeners were not starting. This was traced to the Global Resource Setting references in the listener rules that utilize data page lookups; MQ listeners started as expected when they were hard-coded with the values present on the data page. Investigation showed this was caused by the activity running in an unauthenticated context, and has been resolved by allowing the app requestor to skip authentication.
INC-222213 · Issue 722509
Updated support for Client Assertion in Open ID Connect to generate unique JTI
Resolved in Pega Version 8.8
Following an update with an enhancement which added UI and code changes to support Client Assertion in Open ID Connect, the token expiry and issue dates were not getting set properly and the JTI was not getting generated. This has been resolved by adding code to generate a unique client_assertion on OIDC login with private_key_jwt so the JTI in client assertion will be be unique for every login.
INC-222404 · Issue 727870
AccessToken can be used for both OIDC SSO and Connect-REST
Resolved in Pega Version 8.8
When trying to specify the AuthenticationProfile with grant_type ‘authorization_code’ in the Connect-REST rule, the AccessToken was not being retrieved, and the error "services.OutboundMappingException: Caught Exception while creating OAuth2 client, Caused by: PRRuntimeException: Unable to obtain access token for client details in authentication profile configured for connector" was generated. The usage case desired is to use the same token for both OIDC SSO and Connect-REST. This worked when the scope was the same, but the key was constructed with a space between the scope and the operator ID while saving the token to the cache. The constructed key did not have this space when fetching the token during Connect-REST. To support the desired use, logic has been added to make the appropriate trim for scope in cache key generation in oauth2clientimpl.
INC-225503 · Issue 737019
DSS added to configure outflow signature digest method algorithm
Resolved in Pega Version 8.8
After update, a change was seen in the digest method of a SOAP response. The site was configured to use WS-Security Profile SHA-1 as the digest algorithm, but the warning from the testing tool WCF (Windows Communication Foundation) indicated this was not being followed with the message "the algorithm 'xmlenc#sha256' is not accepted for operation 'Digest'". For better compatibility, the DSS outflowSignatureDigestAlgorithm has been added to support configuring the outflow signature digest method algorithm.