INC-188162 · Issue 673507
RSA-PSS signature support added for for SAML SSO
Resolved in Pega Version 8.7
The XML security jars have been updated to incorporate RSA-PSS signature algorithm support.
INC-188889 · Issue 675580
New application wizard security updated
Resolved in Pega Version 8.7
Security around displaying and running the new application wizard has been enhanced.
INC-189989 · Issue 675572
Refresh assignment checks updated
Resolved in Pega Version 8.7
Additional privilege checks have been added to refresh assignment.
INC-190384 · Issue 676573
URL validation updated to handle custom token endpoints
Resolved in Pega Version 8.7
While saving an authentication profile with OAuth details, validation was failing for a valid URL given in the access token endpoint and revoke token endpoint fields. This was traced to the use of the Apache URL validator, which considered some domains to be invalid. To resolve this, the urlvalidator constructor has been updated to include a custom RegexValidator for access token and refresh token URLs.
INC-193561 · Issue 680427
Client secret made optional for JWT Bearer Grant type
Resolved in Pega Version 8.7
After update, trying to connect a REST API using OpenAM as the provider for OAuth and using JWT Bearer as Grant type was resulting in an error indicating the request was not reaching the destination. This was traced to the client secret being designated a mandatory field when it should be optional in this case as the required key store was already configured with a JWT token profile. To resolve this, an update has been made which will make the client secret optional when the authentication scheme is JWT Bearer. In addition, the blank value caused a null pointer error when the client secret was not passed. This has been handled with a check.
INC-194287 · Issue 681065
SSLContext created using protocol from REST connector rule form
Resolved in Pega Version 8.7
After upgrading to IBM websphere v9.0.5.6 or higher, API calls Like REST, Connect-HTTP etc were failing to connect to endpoints using TLSv1.2. Investigation showed that although the connector was configured to send TLSv1.2, the ClientHello handshake was triggered for TLSv1.3. Because the SSLContext was created with highest version supported by protocol in the WAS container, this has been resolved by modifying the code to create SSLContext based on the the protocol selected in the REST connector rule form. Additionally, please note that the Connect-HTTP connector has been deprecated and the Connect-REST capabilities in the platform should be used instead.
INC-196414 · Issue 684238
OAuth token refreshed when revoked on source
Resolved in Pega Version 8.7
When an OAuth token was used to authorize the APIs in the system, revoking the token at the source, i.e. from the Service side, did not automatically refresh the token and a logoff/logon was required before a fresh token was generated. This has been resolved by adding an update to explicitly purge revoked tokens.
INC-196431 · Issue 684886
Refresh assignment checks updated
Resolved in Pega Version 8.7
Additional privilege checks have been added to refresh assignment.
INC-199303 · Issue 690629
Guided Tour working from Actions menu
Resolved in Pega Version 8.7
After updating from Pega 8.4 to Pega 8.5, "Manage a Guided Tour" was no longer working under a local action when called from the Actions menu on a work object. An unspecified error message appeared in the tracer. Investigation showed there was a null pointer error caused by the menu being invoked on an invalid page, and this was traced to updated authentication requirements: registration at the portal is not reliable as it is thread-scoped and run only once. The thread name is not guaranteed to stay the same so subsequent invocations of the tour activities failed. This has been resolved by modifying the call registration function to handle the security issues related to the generation of the menu path.
INC-200299 · Issue 689561
LookUpList correctly executes during SSO login with model operator
Resolved in Pega Version 8.7
After configuring SSO to create operators on fly using a model operator, a new user logging in for the very first time had their operator ID created using the model operator, but after upgrade new users logging in to the system received the error "Only authenticated client may start this activity: RULE-OBJ-ACTIVITY @BASECLASS LOOKUPLIST". This was due to the methods used for additional security on the activity @baseclass LookUpList which allows it to only be run by authenticated users, and has been resolved.