Skip to main content

This content has been archived and is no longer being updated.

Links may not function; however, this content may be relevant to outdated versions of the product.

Enabling encrypted communication between nodes

Suggest edit Updated on September 10, 2021

Pega Platform™ supports encrypted communication between nodes. Encryption is useful when compliance rules require all intracluster communication to be encrypted, such as when working under HIPAA regulations.

Enabling encryption involves the following high-level steps:

  1. Create the keystore and truststore files
  2. Upload the keystore and truststore files into the Pega Platform
  3. Enable encryption
  4. Restart all nodes in the cluster

Creating the keystore.jks and truststore.jks files

If you already have a self-signed certificate (SSL), go to step 2.

  1. Create a self-signed certificate by entering the following command:

    keytool -genkey -alias <alias> -keyalg RSA -keysize <enter size> -keypass <password> -keystore cluster-keystore.jks -storepass <password>

  2. Export the self-signed certificate so that it can be added to the truststore as the trusted certificate by entering the following command:

    keytool -export -alias <alias> -file <certificate> -keystore cluster-keystore.jks -storepass <password>

  3. ​Create the cluster-truststore.jks file by entering the following command:

    keytool -import -alias <alias> -file client.cer -keystore cluster-truststore.jks -storepass <password>

Uploading the keystore and truststore files to the Pega Platform

By default, the file names are cluster-keystore.jks and cluster-truststore.jks. Change the file names by modifying the cluster/encryption/keystorename and cluster/encryption/truststorenameprconfig.xml file settings, respectively.​ Upload the keystore and truststore files into the Pega Platform as instances of Data-Admin-Security-Keystore.

  1. In Dev Studio, click + Create > Security > Keystore.
  2. Enter a short description.
  3. In the Keystore field, enter the keystore name.
  4. Click Create and open.
  5. Enter the keystore file type, either JKS or PKCS12.
  6. Enter the keystore password.
  7. Click Upload file and upload the actual keystore file, not the certificate.
  8. Click Save.
  9. Repeat this procedure to upload the truststore file.

Enabling encryption

Enable encryption by using the cluster/encryption/enabled Dynamic System Setting.

  1. Create + Create > SysAdmin > Dynamic System Settings.
  2. Enter a short description.
  3. Enter Pega-Engine in the Owning Ruleset field.
  4. Enter cluster/encryption/enabled in the Setting Purpose field.
  5. Click Create and open.
  6. On the Settings tab, enter true in the Value field.
  7. Click Save.

You can also enable encryption by setting cluster/encryption/enabled to true in the prconfig.xml file. The setting in the prconfig.xml file takes precedence over the Dynamic System Setting unless there is no entry in the prconfig.xml file.

<env name="cluster/encryption/enabled" "value=true" />

Restarting nodes

After you complete all the preceding tasks, restart all nodes in the cluster.

If either the keystore.jks or the truststore.jks certificate is not available in the Pega Platform, the Pega Platform fails to start. Follow the instructions in the error message to resolve the problem.
Did you find this content helpful? YesNo

50% found this useful

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us