SR-119800 · Issue 177840
Security policy transaction mismatch error resolved
Resolved in Pega Version 7.1.8
If security policies are enabled, logging out and then logging in prompts a password change. If the password was changed and then the page was refreshed, a transaction mismatch error occurred. This was caused by incomplete clearing of the password setting transaction, and the system has been updated to properly switch transactions.
SR-123636 · Issue 184161
Trojan horse protection auto-enabled
Resolved in Pega Version 7.1.8
The authentication/trojanhorseprotection previously defaulted to NEVER, creating a security vulnerability. The trojanhorseprotection setting now defaults to external.
SR-123636 · Issue 181701
Trojan horse protection auto-enabled
Resolved in Pega Version 7.1.8
The authentication/trojanhorseprotection previously defaulted to NEVER, creating a security vulnerability. The trojanhorseprotection setting now defaults to external.
SR-124473 · Issue 186179
Added handling for unauthenticated asynchronous SOAP service
Resolved in Pega Version 7.1.8
After implementing changes to work around an error with SOAP authentication, the unauthenticated asynchronous SOAP service generated an error and failed to complete. This was due to the changes to the authentication process omitting the asynchronous mode case when a SOAP service that intended to not use authentication ends up calling a sub-activity that requires authentication. This use case is now covered.
SR-126719 · Issue 177348
Added fallback keyinfo handling
Resolved in Pega Version 7.1.8
When a SAML assertion response is received in the authentication activity, an error indicated the KeyInfo was missing in the signature. This was caused by a lack of redundancy in the keyinfo handling that caused an exception when keyinfo was not included in the SAML response. Support has now been added to check the certificate in the truststore where the certificate from IDP metadata would have been imported, and there is an added null check in the debug logs.
SR-126719 · Issue 178793
Added fallback keyinfo handling
Resolved in Pega Version 7.1.8
When a SAML assertion response is received in the authentication activity, an error indicated the KeyInfo was missing in the signature. This was caused by a lack of redundancy in the keyinfo handling that caused an exception when keyinfo was not included in the SAML response. Support has now been added to check the certificate in the truststore where the certificate from IDP metadata would have been imported, and there is an added null check in the debug logs.
SR-128463 · Issue 193907
Create KeyRing updated for split schema
Resolved in Pega Version 7.1.8
If a command line script is configured (viz. keyringGen.sh) to encrypt user passwords for prconfig.xml databases using Keyring utility, a prconfig.xml could have three database entries but the keyring tool only prompted for two databases and did not allow encrypting password for the user for the third database. The prconfig.xml file requires very specific location information to run: to resolve this, the variables to hold schema name in case of split schema configuration have been added.
SR-D86011 · Issue 548152
Browser fingerprint validation issue resolved
Resolved in Pega Version 8.3.3
After upgrade, Pega logoff was happening automatically within five minutes while using Microsoft Internet Explorer. This was traced to the COSMOS-based portal in Microsoft Internet Explorer 11 generating different hashes for different parts of the screen, causing a "Browser fingerprint validation failed" error because of the pzBFP token mismatch. To resolve this, an update has been made to exclude the graphic components for calculation of browserfingerprint.
SR-D96395 · Issue 555117
CDK key loading modified for better database compatibility
Resolved in Pega Version 8.3.3
Users were unable to log on to the system and received the error "There has been an issue; please consult your system administrator." Investigation showed the log errors stating "(dataencryption.DataKeyProvider) ERROR localhost - Could not get CDK from systemKeyManagementCache - System CDK is null". This was an issue specific to the MS SQL Server database when there were 6 or more CDKs in the database: CDK keys are loaded from database into Cache using an SQL statement which had the ORDER clause. By default, the ORDER clause treats NULL values differently on different databases, and this caused MS SQL databases to not load a necessary CDK key. To resolve this, the SQL query has been modified so the result will be the same for all supported daatbases (Oracle, Postgres & MS SQL Server).
SR-D79181 · Issue 551123
OKTA receives parameters on logout
Resolved in Pega Version 8.3.3
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the database, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.