Securing the Pega API

The Pega API requires the use of strong transport layer security, such as TLS 1.2, to ensure the safety of Pega API credentials that are transferred through HTTP basic authentication. The Pega API can function without such basic security measures, but their use is strongly recommended.

To configure security:

1. Deploy the Pega application by creating and installing TLS/SSL digital certificates on your web application server for the Pega application. For instructions, see the documentation for your server.
2. Confirm that the Pega API is configured to use TLS/SSL, which is enabled by default. On the Edit Service Package dialog box for the API service package, ensure that Requires authentication, Use TLS/SSL (REST only), and Suppress Show-HTML are selected.
3. Test the Pega API in Designer Studio and ensure that:
   • The URL starts with https://
   • The connection uses TLS 1.2
   • Users are prompted for their Pega credentials the first time the Pega API is used in a browser session

PegaRULES:PegaAPI role

When you create an application, explicitly add the PegaRULES:PegaAPI role a user's access group so that the user can use the Pega API.

PegaRULES:PegaAPISysAdmin role

Explicitly add the PegaRULES:PegaAPISysAdmin role to a user's access group to provide access to the Pega API REST user services as a system administrator. This role is not required for other services.

Open topic with navigation