Skip to main content

Published Release Notes

Find release notes for the selected Pega Version and Capability

Browse resolved issues for Platform releases.

This documentation is for non-current versions of Pega Platform. For current release notes, go here.

Add the security checklist to applications created before 7.3.1

Valid from Pega Version 7.3.1

The security checklist is now automatically added to applications. You can manually add the security checklist to applications that were created in earlier versions.

You can improve the security of your application by completing the tasks on the checklist.

The following task reflects the procedure on how to manually add the security checklists to Designer Studio prior to 7.3.1:

  1. In the header of Designer Studio, click the name of the application, and then click Definition.
  2. Click the Documentation tab.
  3. In the Application guides section, click Add guide.
  4. In the Application guide& field, enter pxApplicationSecurityChecklist.
  5. Click the Configure icon in the Available in column and select the portals (App Studio and Dev Studio) that you want to add the security checklist to.
  6. Click Save.

New JWT access token format: Authorized Access Token

Valid from Pega Version 8.5

Pega Platform™ is changing from using opaque tokens to using JSON Web (JWT) tokens and the JWT access token format: Authorized Access Token (AAT). An AAT enables a client application to validate the server for user permissions and authorizes a specific application to access specific parts of a user’s data.

The major benefits to using the JWT format are:

  • The JWT is a self-contained token that has authentication information, expire time information, and other user-defined claims digitally signed.
  • A single token can be used with multiple applications.
  • The tokens are short-lived and can minimize damage if transport security is compromised, as the token signature is verified.
  • As the token is verified with the signature, there is no need to verify against a database, thus reducing latency (usually important for Web APIs).

For more information, see Understanding authorized access tokens.

Improvements to OAuth 2.0 Services with Token Introspection Service and Token Denylist Service

Valid from Pega Version 8.5

Increase the security of user sessions by using the newly supported Token Introspection and Denylist services for OAuth 2.0.

Token Introspection service

Use the Token Introspection service to validate JSON Web Tokens (JWT). The Token Introspection service requires authentication. 

Pega now uses OAuth 2.0 access tokens called Authorized Access Tokens (AAT). 

Token Introspection service endpoint

The Token Introspection service endpoint provides the information about the status of access token and refresh token. Token introspection can be used to validate if a given token is still active or inactive. The token introspection endpoint determines whether the token is valid. The status indicates whether an access token or refresh token is valid or invalid: 

  • Valid tokens have the “active”:true status
  • Invalid tokens have the “active” :false status.

The inactive status can also be due to revocation. 

Token Denylist service

You can add tokens to the deny list in cases where suspicious activity might have occurred. The Token Denylist service provides a method for denying user access to the application by revoking the user's access token. This service can prevent a token from being used more than the specified number of times, which can be helpful in preventing replay attacks. Stolen tokens should be revoked using this service. A GET API is also available to get the list of denied tokens.

Keys endpoint

Pega Platform™ is changing from using opaque tokens to JSON Web (JWT) tokens. If this JWT is used by any other system, the public key is needed for signature verification. A new endpoint is exposed to provide these public keys in JWK format: https://host:port/prweb/api/oauth2/v1/token/keys.

 

For more information, see OAuth 2.0 Management Services.

Enhanced refresh token strategy

Valid from Pega Version 8.5

You now have more precise control over your refresh token expiration strategy. When a refresh token is enabled, you can choose to set its initial expiration based on the value provided by the IDP. The refresh token expiry can be derived from IDP’s session timeout when SSO is used with external IDP for user authentication in the authorization code grant flow. You can also specify a separate refresh token expiration strategy based on your use-case. 

These can be configured in the OAuth2 Client registration rule form.

For more information, see Enhanced refresh token strategy.

Enhancements to token lifetime limits

Valid from Pega Version 8.5

Pega Platform™ uses OAuth 2.0 authorization codes, access tokens, and refresh tokens to provide flexible token-based security for applications. Expiration settings for these codes and tokens now adhere to certain strict value range based on industry leading practices. For example, the lifetime specified for the authorization code must be in the range 1-600 seconds.

These can be configured in the OAuth2 Client registration rule form.

For more information, see OAuth 2.0 Management Services.

Improving basic access control

Valid from Pega Version 8.5

Pega Platform™ has implemented a new basic access control (BAC) to protect your application from unauthorized server calls from otherwise authenticated users.

For more information, see Access Control Checks.

Upgrade impact

After you upgrade to Pega 8.5, all the functionality in the model configurations that use auto-generated controls and actions continues to work as before. However, you must secure any customized JavaScript in your application layer that makes AJAX (server) calls  by using registration or encryption mechanisms.

What steps are required to update the application to be compatible with this change?

After upgrade, to migrate custom JavaScript functionality, see Access Control Checks.

Default value of the threadpoolsize agent affects batch indexing

Valid from Pega Version 8.5.2

After you patch Pega Platform to version 8.5.2 or higher, the system changes the default value of the threadpoolsize agent, which controls the number of concurrent activities (threads) in the system, from 5 to 15. Batch indexing in Pega Platform does not require all 15 threads, so you can change the agent value to increase system performance by managing the indexing/distributed/batch/numworkers dynamic system setting.
If your deployment does not support that setting, and batch indexing does not use Queue Processors, the system uses the threadpoolsize value for batch indexing instead.

For more information, see Editing a dynamic system setting.

Descendant class instances now included in reports

Valid from Pega Version 7.2

The Report on descendant class instances option on the Data Access tab of the Report Definition rule has a new option to now include data from all descendant classes of the report's primary class. If descendant classes are mapped to multiple class tables, the generated SQL query performs UNIONs to include this data. Previously, only a single class was included in the report.

You can select a subset of descendant classes to include or exclude by adding a filter condition on pxObjClass.

Existing reports retain the older behavior for this option after an upgrade or update. To use the new option, you must set it for each existing report. New reports created in Designer Studio and out-of-the-box Pega 7 Platform template reports from which new reports are created in the Report Browser (pyDefaultReport and pyDefaultSummaryReport) default to the new option. If you have created custom template reports for some application classes, you must change them to enable the new option in reports that are created in the Report Browser for these classes.

See Reporting on data in multiple class tables.

Report Definition query filters can search embedded properties

Valid from Pega Version 7.2

Filter conditions on Report Definition rules that query the Elasticsearch indexes can now reference embedded properties. Previously, filter conditions could reference only the top-level properties of a class. To reference an embedded property within a filter condition, specify indexes for embedded page lists and page groups, for example, Customers(1).Addresses(1).City = Boston OR Customers(1).Addresses(1).State = MA.

These indexes are ignored in the generated query, and so can potentially match any value in a page list or group. However, filter conditions that reference multiple embedded properties in the same page list or page group, as displayed above, might not be satisfied on the same page.

BIX extracts can be scheduled and run from the Pega 7 Platform by using agents

Valid from Pega Version 7.2

You can create an agent that periodically invokes the new pxExtractDataWithArgs activity to run a BIX Extract rule. The activity takes the class and extract rule name, as well as an additional input string with a list of BIX command-line parameters, as input parameters to use for the run.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us