The Credential Store is based on the Windows Data Protection API (DPAPI). DPAPI encrypts data using a private key derived from a user’s Windows identity. Once encrypted, data can only be decrypted by the same Windows user. For more information, refer to this web page:
For more information about DPAPI and the encryption settings used by Pega® Robotic Automation Studio and Runtime, as well as the SHA version that is used for your version of Windows, see Encryption settings for Pega Robotic Automation.
The following sections detail some frequently asked questions about the Credential Store:
Where are credentials stored?
Credentials are stored locally on the machine in an encrypted file located under the user’s application data directory. The Credential Store does not use a central server.
The following is an example of the path where credentials are stored:
C:\Documents and Settings\John Doe\Application Data\OpenSpan, Inc\OpenSpan Studio\AppInfo.xml
How are credentials stored?
The Credential Store component will persist the following strings: application name, user name, password and domain. DPAPI initially generates a strong key called a MasterKey, which is protected by the user's password. DPAPI uses a standard cryptographic process called Password-Based Key Derivation, described in the Password Based Encryption Standard (PKCS) #5, to generate a key from the password. This password-derived key is then used with Triple-DES to encrypt the MasterKey, which is finally stored in the user's profile directory.
The MasterKey, however, is not used explicitly to protect the data. Instead, a symmetric session key is generated based on the MasterKey, some random data, and an additional hard-coded entropy string that Pega provides. This session key is used to protect the data. The session key is never stored. Instead, DPAPI stores the random data it used to generate the key in the opaque data blob. When the data blob is passed back in to DPAPI, the random data is used to re-create the key and unprotect the data.
For security reasons, MasterKeys expire, which means that after a period of time, the hard-coded value being three months, a new MasterKey is generated and protected in the same manner. This expiration prevents an attacker from compromising a single MasterKey and accessing all of a user's protected data.
Can anyone view or decrypt stored credentials?
No. Only the user whose Windows identity was used to encrypt the data can decrypt it. Moreover, the additional entropy string supplied by Pega helps prevent other applications from decrypting the credential data.
Where is the software installed?
The Credential Store component is installed with Studio and Runtime. Studio is installed on developer desktops. Runtime is installed on solution user desktops.
How are passwords managed?
The Credential Store component is used by Studio developers when they create automations which are then deployed to the end-user desktop and executed by Runtime. Automations run independently on each end-user desktop and are not connected to a central management server following deployment. Developers can choose to enforce password management functions within their automations, but there is no server that centrally manages password rules.
How often does the user have to input their credentials?
The Credential Store component can persist credentials indefinitely. However, developers can choose to enforce password management functions within their automations, including periodically prompting for the re-entry or clearing of stored passwords. For instance, a developer can create an automation that initially prompts users for credentials the first time they log on. For subsequent logons, the automation automatically logs in the user until it detects that a login failed. Once a login has failed, the automation prompts the user to re-enter his or her credentials.
Does the software log who accessed credentials or who accessed the tool?
The client can enable local logging of the Enterprise Runtime environment that provides general log details. Optionally, you can use Events to log extended or custom events. These events can be written to a central repository and can contain only the specific items you want to see.
Is this software commonly deployed by other clients?
Yes. We have deployed this capability to several other clients. Implementation of the credential store varies from account to account depending on their project requirements, internal security policies, and the infrastructure already in place.