Working with the PegaRULES Database
How to encrypt the Storage Streams of selected classes

Basics

Optionally, you can enable configuration of the Storage Stream or blob (pzPVStream ) column for rows of the PegaRULES database corresponding to specific classes.

Encryption occurs when Process Commander saves an instance of the class; decryption occurs when Process Commander retrieves and opens an instance.

This feature is unrelated to any encryption of the database provided through database software or software provided by others.

Procedure

1. Before you create any instances of the classes, update the prconfig.xml file (on each node) to include the following setting:

<env name="crypto/sitecipherclass" value="com.pega.pegarules.crypto.CCCCCC" />

where CCCCCC is the name of your encryption interface.

Your Java code can follow the model in the supplied sample PRCipherSampleBF, but to ensure the security and uniqueness of your encryption implementation, do not use the unmodified sample.

2. To make the prconfig.xml setting take effect, stop and restart (or redeploy) the system.

3. Open each Class form that is to hold instances with encrypted Storage Stream values. Select the Encrypt BLOB? check box on the Basic tab. Save the Class form. (This check box affects only the blob column for instances of one single class. Update this check box for each class to be affected.)

4. Encryption is enabled. Your application can create instances of the class normally.

Build an encryption cypher

Process Commander does not include encryption software. The sample Java class PRCipherSampleBF exposes the SunJCE Java Cryptography Extension provider (in your system's JDK) of the Blowfish algorithm. To ensure the security and uniqueness of your encryption implementation, do not implement this sample.

1. Code the class to implement the Public API IPRCipher interface.

2. Place the resulting JAR file in a directory provided by your application server for external libraries.

3. Update the prconfig.xml file to include the new JAR files in Process Commander class paths. See the Pega Developer Network article PRKB-20931 About the Process Commander class paths.

Notes and limitations

This facility is most useful for work objects, assignments, or attachments. If a ZIP archive contains instances of classes with encrypted Storage Stream values, the ZIP archive can only be imported to another system that uses the identical cipher algorithm.

CPU processing for encryption and decryption can affect overall system performance, depending on data volumes and algorithms. To help you assess the impact, six Decimal properties on the Full Details display of the Performance tool record times and counts. (Elapsed time and CPU times are components of other statistics that measure database times. CPU statistics are available only for Windows platforms. All times are in seconds.)

• pxEncryptCPU — CPU time required to encrypt Storage Stream contents
• pxDecryptCPU — CPU time required to decrypt Storage Stream contents
• pxEncryptElapsed — Elapsed time required to encrypt Storage Stream contents
• pxDecryptElapsed — Elapsed time required to decrypt Storage Stream contents
• pxEncryptCount — Number of Storage Streams encrypted
• pxDecryptCount— Number of Storage Streams decrypted

Encryption of the Storage Stream column for one class does not affect the Storage Stream of other classes that may occupy the same table in the PegaRULES database,

	prconfig.xml file, Storage Stream
	About Class rules Performance tool — Full details display

Working with the PegaRULES database