Securing the Pega API
To ensure the safety of Pega API credentials that are transferred through HTTP basic authentication, use TLS 1.2, a strong transport layer security, when installing your Pega application. You can also secure the Pega API by using OAuth 2.0.
- Deploy your Pega application by creating and installing TLS/SSL digital certificates on your web application server for the Pega application. For instructions, see the documentation for your server.
- Confirm that the Pega API is configured to use TLS/SSL, which is enabled by default. On the Edit Service Package dialog box for the API service package, ensure that Requires authentication, Use TLS/SSL (REST only), and Suppress Show-HTML are selected.
- Test the Pega API in Dev Studio and ensure that the URL starts with https://, the connection uses TLS 1.2, and users are prompted for their Pega credentials the first time the Pega API is used in a browser session.
Following are some guidelines for roles and privileges that you might need to configure.
- PegaRULES:PegaAPI role - When you create an application, explicitly add the PegaRULES:PegaAPI role to a user's access group so that the user can use the Pega API.
- PegaRULES:PegaAPISysAdmin role - Explicitly add the PegaRULES:PegaAPISysAdmin role to a user's access group to provide access to the Pega API REST user services as a system administrator. This role is not required for other services.
- PegaRULES:SysOpsObserver and PegaRULES:SysOpsAdministrator roles - To use the Caches,
Pools, and Nodes APIs, you must have the following roles:
- To perform GET operations, the PegaRULES:SysOpsObserver role.
- To perform other operations, for example, PUT, DELETE, POST, the PegaRULES:SysOpsAdministrator role.