Pega 7 Platform offers two Types for sensitive
Value List and
Value Group properties:
TextEncrypted. Both types produce encrypted (or hashed) values for the property value within the PegaRULES database, and both types offer some degree of security within the user interface.
When choosing which Type value to use, consider these factors:
Passwordtype requires no advanced configuration or Java skills to set up. Several standard properties implement this type; for example, the property Data-Admin-Operator-ID.pyPwdCurrent. Pega 7 Platform applies the one-way MD5 algorithm to this value, which is never sent to any external system.
TextEncryptedtype requires one-time Java coding of encryption Java functions of your choice to implement a Public API Interface.
Passwordproperty is a string of asterisks, for all users, in all situations. The Password value is never decrypted. In contrast, the value of a
TextEncryptedproperty can appear in clear text or as asterisks, depending on the runtime outcome of an access when rule (Rule-Access-When rule type). Thus your application can make the clear-text value visible to specific users, or on certain reports, or during specified time periods.
Passwordproperties are initially added to the clipboard as unencrypted, clear text values. The system computes the hashed value only as the page is committed to the PegaRULES database. Thereafter, the hashed value appears in both the clipboard and the database row. Properties for passwords for the Operator IDs, rulesets, and ruleset versions are of mode
TextEncryptedvalues are always encrypted on the clipboard and in server-to-database network messages.
Implementation of a site-specific encryption algorithm requires Java skills and familiarity with the Java Cryptography Extension (JCE) technology. This topic provides an overview for planning purposes. Needed scripts and more detailed instructions are available from Global Customer Support.
1. Create a site-specific cipher. See the instructions in How to encrypt the Storage Stream.
2. Create one or more properties that use the
TextEncrypted type. Complete the General tab:
pxRequestorpage or other clipboard pages.
3. Reference the property normally in other rules.
You can use a
TextEncrypted property in expressions, testing for equality or inequality only. Call the standard function rule encryptPropertyValue() to encrypt the comparison value (a constant, a property value, or computed text value) before the comparison. For example:
@encryptPropertyValue("Virginia") == .myEncryptProperty
.myEncryptProperty != @encryptPropertyValue(.pyLabel)
The access when rule test and automatic encryption (or decryption) occur only as users interact with a form. In all other cases, your application must explicitly call the functions.
Caution: Pega 7 Platformallows comparisons other than equality or inequality, but results are unpredictable.
Pega 7 Platform does not perform any automatic type conversions for
TextEncrypted properties during Property-Set operations. As a result, it is rarely useful to directly assign an encrypted value to another property, or assign another property value to a
When a TextEncrypted property is set to a value, the system encrypts the value unless it is already encrypted. For example, in an activity, a Property-Set method operates on two properties MyEncrypted (of type
TextEncrypted) and MyText (of type
After the first of these three lines executes, the value in property MyEncrypted is encrypted. After the second line, the value in property MyText matches the value of MyEncrypted; no encryption or decryption takes place. After the third line, MyEncrypted holds the encrypted value from "Rosebud"; encryption is implicit.
To use a
TextEncrypted property as a selection criteria on the Content tab of a list view or summary view rule:
TextEncryptedproperty a database column.
Is Equal Toor
Is Not Equal Tofor the comparisons.
Caution: The rule forms accept comparisons other than
Is Equal To or
Is Not Equal To, but results are unpredictable.
If an external system calls a service and sends to Pega 7 Platform a (clear text) value for a field that is mapped to a
TextEncrypted property, the value becomes encrypted as soon as it reaches the clipboard.
Responses to service calls and connector requests normally send only the encrypted value. Your application can call the standard function @decryptPropertyValue() to send the decrypted, clear text value, but only in a context when the access when rule is true.
Don't send an encrypted property value to an external system that expects the clear-text value.
On the Clipboard tool display, the value of a
TextEncrypted property is blank.
Except as described here, Pega 7 Platform treats the value of a
TextEncrypted property similar to a
Text property. Your application can place dates or numbers in the value, but no validation occurs.
|exposed column, type|
|About Access When rules|
About Property rules
Open topic with navigation