The Credential Store is based on the Windows Data Protection API (DPAPI). DPAPI encrypts data by using a private key that is derived from a user’s Windows identity. Once encrypted, data can only be decrypted by the same Windows user. For more information, refer to this web page in the Microsoft Developer Network:
For more information about DPAPI and the encryption settings used by Pega® Robotic Automation Studio and Runtime, as well as the SHA version that is used for your version of Windows, see Encryption settings for Pega Robotic Automation.
Frequently Asked Questions
The following are some frequently asked questions about the Credential Store.
Where are credentials stored?
The Credential Store does not use a central server. Credentials are stored locally on the machine in an encrypted file that is located under the user’s application data directory. For example:
C:\Documents and Settings\John Doe\Application Data\OpenSpan, Inc\OpenSpan Studio\AppInfo.xml
How are credentials stored?
The Credential Store component persists the following strings: application name, user name, password, and domain. DPAPI initially generates a strong key called a MasterKey, which is protected by the user's password. DPAPI uses a standard cryptographic process called Password-Based Key Derivation, described in the Password Based Encryption Standard (PKCS) #5, to generate a key from the password. This password-derived key is then used with Triple-DES to encrypt the MasterKey, which is stored in the user's profile directory.
However, the MasterKey is not explicitly used to protect the data. Instead, a symmetric session key is generated based on the MasterKey, some random data, and an additional Pega-provided hard-coded entropy string. This session key is used to protect the data and is never stored. Instead, DPAPI stores the random data that it used to generate the key in the opaque data blob. When the data blob is passed back in to DPAPI, the random data is used to re-create the key and to unprotect the data.
For security reasons, MasterKeys expire, which means that after a period of time (the hard-coded value being three months), a new MasterKey is generated and protected in the same manner. This expiration prevents an attacker from compromising a single MasterKey and accessing all of a user's protected data.
Can anyone view or decrypt stored credentials?
No. Only the user whose Windows identity was used to encrypt the data can decrypt it. Also, the additional entropy string supplied by Pega helps to prevent other applications from decrypting the credential data.
Where is the software installed?
The Credential Store component is installed with Studio and Runtime. Studio is installed on developer desktops. Runtime is installed on solution user desktops.
How are passwords managed?
The Credential Store component is used by Studio developers when they create automations, which are then deployed to the end-user desktop and are executed by Runtime. Automations run independently on each end-user desktop and are not connected to a central management server following their deployment. Developers can choose to enforce password management functions within their automations, but there is no server that centrally manages password rules.
How often does the user have to input their credentials?
The Credential Store component can persist credentials indefinitely. However, developers can choose to enforce password management functions within their automations, including periodically prompting for the re-entry or clearing of stored passwords. For instance, a developer can create an automation that initially prompts users for credentials the first time that they log on. For subsequent logons, the automation automatically logs in the user until it detects that a login failed. Once a login has failed, the automation prompts the user to re-enter their credentials.
Does the software log who accessed credentials or who accessed the tool?
The client can enable local logging of the Enterprise Runtime environment that provides general log details. Optionally, you can use Events to log extended or custom events. These events can be written to a central repository and can contain only the specific items that you want to see.
Is this software commonly deployed by other clients?
Yes. We have deployed this capability to several other clients. Implementation of the Credential Store varies from account to account depending on project requirements, internal security policies, and the infrastructure that is already in place.