Skip to main content
LinkedIn
Copied!

Table of Contents

Disabling default operators with insecure passwords

Usage Note

If you are updating or upgrading to Pega 7.4, you do not need to follow the instructions in this article. The issue has been resolved in Pega 7.4. See the Pega 7.4 Release Notes, Enhancements, the Security 7.4 note, Improved operator security.

If you are using a release prior to Pega 7.4, follow the instructions in this article to obtain and run the utility that disables default operators with insecure passwords.

Heed the Warning!

 

Detect and disable default operators with insecure passwords

A new utility is available that detects and disables default operators included with Pega software that do not have secure passwords.

Pega strongly recommends that all default operators included with Pega software be disabled or have their passwords changed to a non-default value.

Determine the hotfix you need
Request and install the hotfix
Know the caveats and options
Using the Designer Studio
Using the command line

Determine the hotfix you need

The utility for detecting and disabling default operators with insecure passwords is available in a hotfix (HFix) for the Pega Platform that you are using. The utility provided by the hotfix is planned to be permanently added to the Pega Platform in future releases starting with Pega 7.4.

Pega 7 Hotfixes
PRPC 6 Hotfixes

Pega 7 Hotfixes

If you are using the Pega 7 Platform, find the hotfix that you need to request in the following table.

Pega 7 hotfixes delivering the Disable Default Operator utility

Pega 7 Version

Hotfix Number

7.3.1

HFix-38827

7.3

HFix-38828

7.2.2

HFix-38829

7.2.1

HFix-38845

7.2

HFix-38846

7.1.9

HFix-39174

7.1.8

HFix-39173

7.1.7

HFix-39172

7.1.6

HFix-39171

7.1.5

HFix-39170

7.1.2

HFix-39169

PRPC 6 Hotfixes

If you are using PRPC 6, find the hotfix that you need to request in the following table.

PRPC 6 hotfixes delivering the Disable Default Operator utility

PRPC 6 Version

Hotfix Number

6.3 SP1

HFix-39575

6.3

HFix-39166

6.2 SP2

HFix-39165

6.2 SP1

HFix-39164

6.1 SP2

HFix-38848

Request and install the hotfix

To request and install the hotfix that you need for your Pega Platform, follow these steps:

  1. Go to My Support Portal.
  2. In the Support Requests default view, click Create to create a new Support Request (SR).
  3. In the Request Type field, select Existing Hotfix Request.
  4. In the Requested Hotfix ID field, specify the number of the hotfix you want, HFix-#####.
  5. In the Detailed Description, provide the following information:
    • Your Pega Platform version
      Example: Pega 7.3
      Example: PRPC 6.2 SP2
    • This text: Need the Disable Default Operators hotfix package
  6. Complete all the other fields of the SR form as required.
  7. When you are notified, download the hotfix package provided by GCS and save it to your computer.
  8. Install the hotfix:
    • If you are using PRPC 6.x, install the hotfix with the Update Manager.
    • If you are using Pega 7.x, install the hotfix with the Hotfix Manager.
  9. When the hotfix installation is complete, restart your application server.
    This step is necessary because the hotfix package includes Pega Engine code changes.
  10. Log in to the system as a local administrator operator.
    This is necessary to access and run the activity for the utility, pzDisableOperators.

Know the caveats and options

Warning
Optional prerequisite: Enable logging
Two ways to run the utility

Warning

The Disable Default Operators utility disables the operator administrator@pega.com.
Do NOT use this operator to run the utility: Use a local administrator operator.

Optional prerequisite: Enable logging

If you wish to have detailed information about the specific operator records disabled by this utility, you must first enable INFO level logging on the Pega Engine class com.pega.pegarules.deploy.internal.util.DisableOperatorsUtility.

Two ways to run the utility

You can run the Disable Default Operators utility in one of two ways:

Running the utility from the command line provides options to extend the scope of the utility.

Using the Designer Studio

Enable detailed logging (optional prerequisite)
Locate and run the utility

Enable detailed logging (optional prerequisite)

To enable INFO level logging on the Pega Engine class com.pega.pegarules.deploy.internal.util.DisableOperatorsUtility, change the logging level for this class from one of the following contexts:

  • Designer Studio > System > Tools | Operations > Logs
  • System Management Application (SMA) > Logging and Tracing > Log Level Settings

(The navigation path varies slightly depending on the Pega product release.)

Locate and run the utility

To locate and run the Disable Default Operators utility, complete the following steps:

  1. From the Designer Studio, search for the activity pzDisableOperators using the ‘old:’ keyword prefix.
    Example: old:pzDisableOperators
    The activity can be found only by using the ‘old:’ keyword prefix because it is marked as an internal rule.
  2. To run the activity, from the Action menu, click Run.
    When the activity finishes, a pop-up status window displays Status good and the message The operation completed successfully, but returned no content.
  3. Optional: Further verify successful completion of the utility by reviewing the PegaRULES logfile messages. You should see a message like the following example when the utility is run:

2017-12-08 17:40:20,074 [http-apr-8080-exec-3] [ STANDARD] [ ] [ PegaRULES:07.10] (Accel_Management_Import.Action) INFO your_server|your_client YourAdministrator@yourCompany.com - Disabling operators from activity started..........

2017-12-08 17:40:27,521 [http-apr-8080-exec-3] [ STANDARD] [ ] [ PegaRULES:07.10] (Accel_Management_Import.Action) INFO your_server|your_client YourAdministrator@yourCompany.com - Disabling operators from activity ended..........

Using the command line

As an alternative to using the Designer Studio, you can run the Disable Default Operators utility from the command line.

Prerequisites
Enable detailed logging (optional prerequisite)
Locate and run the utility

Prerequisites

Ensure that your system fulfills the following prerequisites:

  • Java SDK version 1.7 or higher must be installed and available on the system path and the JAVA_HOME environment variable must be set.
  • The PRPC or Pega Platform distribution media must be expanded to a working folder.
  • A JDBC driver JAR file appropriate for your database type and version must be available in a folder on the computer.
  • Database credentials must be set for a user who has DML access to the Pega database.

Enable detailed logging (optional prerequisite)

To enable INFO level logging on the Pega Engine class com.pega.pegarules.deploy.internal.util.DisableOperatorsUtility, change the logging level for this class for your version of the Pega Platform or PRPC.

Pega Platform 7.3 and later releases

Modify the logging settings in the file \scripts\config\prlog4j2.xml by adding the following logger:
<Logger name="com.pega.pegarules.deploy.internal.util.DisableOperatorsUtility" level="info"/>

All other Pega Platform and PRPC releases

Modify the logging settings in the file \scripts\config\prlogging.xml by adding the following logging category:

<category name="com.pega.pegarules.deploy.internal.util.DisableOperatorsUtility" additivity="false">
<priority value="info"/>
<appender-ref ref="PEGA"/>
</category>

Locate and run the utility

To run the Disable Operators utility from the command-line, complete the following steps:

  1. Locate the three (3) Disable Operators script files included in the hotfix delivery file (DL-#####.zip) provided by GCS:
    • disableOperators.sh – Unix/Linux shell script
    • disableOperators.bat – Windows batch script
    • disableOperators.xml – Ant project file
  2. Copy the scripts to the \scripts folder of the expanded PRPC or Pega Platform distribution media.

    Important You must copy the scripts to the \scripts folder of the expanded distribution media because they rely upon other files and folders in the distribution media structure.

  3. Optional: If you would like to have detailed information about the specific operator records disabled by this utility, enable detailed logging.
  4. Run the Disable Operators script for your operating system with the required runtime parameters:
    1. For Windows, run disableOperators.bat.
      UNIX or Linux, run disableOperators.sh.
    2. Determine the appropriate values for the following runtime parameters based on your site’s configuration and pass them on the script execution command-line as shown in the example:

--driverJAR
--driverClass
--dbType
--dbURL
--dbUser
--dbPassword
--rulesSchema
--dataSchema

Here is an example command-line for the Disable Operators script running on Windows:
C:\Pega\scripts\disableOperators.bat --driverJAR "C:\\Pega\\driver\\ojdbc6.jar" --driverClass oracle.jdbc.OracleDriver --dbType oracledate --dbURL jdbc:oracle:thin:@localhost:1521/Pega7 --dbUser pegaadmin --dbPassword pegaadmin --rulesSchema rules --dataSchema data

  1. After the Disable Operators script finishes running, you see a confirmation message similar to this example:
    BUILD SUCCESSFUL
    Total time: 1 minute 45 seconds
    ​Exiting with NO Error
  2. See Additional options for the utility.

Additional options for the utility

The Disable Operators utility always disables a hard-coded list of default product operators if they are found to be using a default password. Options are available for detecting additional sets of operators and additional password values, either separately or in combination.

Detecting additional operators
Detecting additional password values
Combining the optional parameters

Detecting additional operators

To detect an additional set of operators for default passwords, run the utility using the parameter operatorsfilePath and refer to a text file with a simple list of operator IDs (one ID per line), as shown in the following example:
C:\Pega\scripts\disableOperators.bat --driverJAR "C:\\Pega\\driver\\ojdbc6.jar" --driverClass oracle.jdbc.OracleDriver --dbType oracledate --dbURL jdbc:oracle:thin:@localhost:1521/Pega7 --dbUser pegaadmin --dbPassword pegaadmin --rulesSchema rules --dataSchema data –-operatorsfilePath C:\\Pega\\scripts\\myOperators.txt

You might want to use the operatorsfilePath option with the passwordsfilePath option described next.

Detecting additional password values

To check the hard-coded list of default product operators for additional password values and disable them if there is a match, run the utility using the parameter passwordsfilePath and refer to a text file with a simple list of password values (one per line), as shown in the following example:

C:\Pega\scripts\disableOperators.bat --driverJAR "C:\\Pega\\driver\\ojdbc6.jar" --driverClass oracle.jdbc.OracleDriver --dbType oracledate --dbURL jdbc:oracle:thin:@localhost:1521/Pega7 --dbUser pegaadmin --dbPassword pegaadmin --rulesSchema rules --dataSchema data –-passwordsfilePath C:\\Pega\\scripts\\myPasswords.txt

You might want to use the passwordsfilePath option with the operatorsfilePath option described previously.

Combining the optional parameters

If you use operatorsfilePath and passwordsfilePath in combination, be aware of the precedence of the utility’s behavior:

  1. First, the utility disables the hard-coded list of default product operators if their passwords match either the default value or the value specified in the file referred to by passwordsfilePath.
  2. Then the utility disables any operators specified in the file referred to by operatorsfilePath ONLY if their passwords match a value provided in the file referred to by passwordsfilePath.

Get help

If you encounter issues installing and running the Disable Default Operators utility or if you have questions about it, post your questions to the Product Support Community (PSC). The Global Customer Support engineers in the PSC will answer your questions or determine and advise if you need to go to My Support Portal to submit a Support Request (SR).

Did you find this content helpful?

75% found this useful


Related Content

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us