Beginning with Pega Platform 8.4, you can import your X.509 certificates directly
into the Pega Platform truststore.
Before you begin: The operator must have the Security Administrator role to
use the pxCanManageCertificates privilege.
Before you can begin managing x.509
certificates in the Platform truststore, you must perform the following tasks:
- Obtain an x.509 certificate.
- Make the certificate available as a file or URL.
- Create a keystore file instance to import the certificate. For more
information about importing the certificate by creating a keystore, see
Creating a keystore.
- Open the certificate management activities. For more information about
running an activity rule, see Introduction to activities.
- Run the certificate management activities as needed.
When your Pega application makes a secure outbound connection using HTTPS, the
external host presents a certificate for secure connection authentication. Your
application checks this certificate against the certificates in the Platform truststore.
If the certificate is not present, the external host is not authenticated, and an
exception is thrown. The Platform truststore holds both the public keys and certificates
of your trusted external systems. At runtime, Pega Platform looks for certificates to
load in the following order: first from the Platform truststore, then from the
application server truststore, and finally from the JVM truststore. After loading a
certificate, Pega Platform syncs updates to the certificate in real time and
presents them to applications for use with secure inbound connections.
Pega
Platform features that require x.509 certificates include the functions described
below.
- Authentication services that import identity metadata exposed over an HTTPS
URL
- Connectors that access external REST API over HTTPS
If you require use of certificates for your applications outbound connections
that do not use HTTPS, speak to your regional Pega support team.
-
In the left navigation pane of Dev Studio, click .
-
In the Applies To column, click the search icon
(▼).
-
In the Search Text field, enter
Data-Admin-Security-Certificate.
The Record page displays the certificate management activities.
- The activity Add certificates to Platform Truststore from
Pega Keystore
(pxAddCertificatesToPlatformTrustore) adds
certificates from a Pega keystore rule into the Platform truststore. The
activity contains the following parameters:
- keystoreName: String. The Java KeyStore (JKS) or Public-Key
Cryptography Standards (PKCS212) instance from which to import
the certificate.
- overwriteDuplicates: Boolean. When enabled, this activity
overwrites the existing Platform truststore certificate with a
new certificate of the same alias. When disabled, this activity
excludes duplicate certificates from the import.
- checkExpiryDate: Boolean. Select this check box for this
activity to exclude adding expired certificates to the Platform
truststore.
- The activity Change Certificate Status
(pxChangeCertificateStatus) changes
the status of a certificate to Active or Inactive. The activity contains
the following parameters:
- certificateAliasName: String. The alias name given to the
certificate of which you want to change the status.
- certificateStatus: String. Enter Active or Inactive to apply the
respective status to the certificate.
- The activity Delete Certificate
(pxDeleteCertificate) removes the
specified certificate from the Platform truststore. The activity
contains the following parameter:
- certificateAliasName: String. The alias name of the certificate
to remove from the Platform truststore.
-
Select an activity to add certificates, change certificate status, or remove
certificates from the Platform truststore.
-
Run the respective certificate activity by clicking .
-
Complete each field that is defined in the parameters for the activity that you
ran.