Monday, February 24, 2020

Common Config Settings for Pega Server

Common Security vulnerabilities for Pega will be found during Security scan:

 For any application Security scanning will takes place. And most of the security warnings will have below two error messages which are usually considered as low:

 1)Error Message:
Session Cookie Does Not Contain the "Secure" Attribute
In session cookies "secure" word, is not there, then using normal javascript and http injection can be done to hack the session cookies, so its recommendable to add this attribute.

 Resolution:

 Perform the following local-change: 
Add the below Dynamic System Settings(DSS) in Pega PRPC, so it will be applicable for all the servers/nodes which pega is connected.

 prconfig/HTTP/SetSecureCookie/default
value = "true"
Owning ruleset  -  Pega-Engine

 Else if this need to be apply only to particular node, then in the config file we can mention it.
<env name="HTTP/SetSecureCookie" value="true" />
=======================

 2)Error Message:
Cookie Does Not Contain The "HTTPOnly" Attribute
In session cookies "HTTPOnly" word, is not there, then using normal javascript and http injection can be done to hack the session cookies, so its recommendable to add this attribute.

 Resolution:
Perform the following local-change: 
Add the below Dynamic System Settings(DSS) in Pega PRPC, so it will be applicable for all the servers/nodes which pega is connected.

DSS: purpose - prconfig/cookie/HttpOnly/default(default can vary based on node classification)
         Ruleset  - Pega-Engine
         Value     - true

 Restart the server after this DSS is set to take the changes affect

 Else if this need to be apply only to particular node, then in the config file we can mention it.
<env name="HTTP/SetSecureCookie" value="true" />
=======================

 Note: Please let me know, similar to this if any common issues will be found, we can add it in the post, so that it will be help for all of us to know.
Posted by at 2 comments:

Wednesday, February 5, 2020

LDAP Implementation in Pega PRPC

LDAP Implementation with Simple Authentication:

In Pega PRPC, I had tried LDAP Authentication. I had followed the same steps mentioned in the below link, in personal edition for trail and learning purpose. Its working without any changes.
https://community1.pega.com/community/product-support/question/how-cofigure-server-based-authentication-ldap

 1) Install LDAP server:
Downloaded Apache Directory Studio and installed the server. 
https://directory.apache.org/studio/download/download-windows.html

 Import some sample data from google by searching with  sample ".ldif" file - which is the format of the LDAP data. by default LDAP Port will be 389, 10389:
My LDAP URL is: ldap://localhost:10398

 Sample screen shot from data and structure of data has been given below:
dc=example, dc=com
ou=Management
cn=1(user1)
cn=2(user2)








2)Create an authentication Service - Named(in this example) "TestLDAP1" - and AuthenticationTimeout and Authentication Activity, mention it.
Then we need to configure - Search directory and Filter Criteria and Parameter.

 Screen shot from 















and then set the other attributes from the LDAP which is required for pega configuration and process identification.











set the model operator to which it need to copy and create a new operator ID, for first time login.
If we updated the Model Operator ID, then we need to mention the access group in Unauthenticated AccessGroup, else default configuration is fine.

 3)If app server is Tomcat, then web.xml need to be modified, else correponding <<web app>>.xml based on the app server pega is deployed.

 4) update web.xml file in the below format, in AuthService parameter mention the newly created Authentication Service name. In this example - TestLDAP1
so that if below URL is used it will pick the servletname and correponding Auth Service.
http://localhost:9085/prweb/PRWebLDAP2

 <servlet>
<servlet-name>WebLDAP2</servlet-name>
<display-name>WebLDAP2</display-name>
<description>Authentication using LDAP (reserved for configuration wizard)</description>
<servlet-class>com.pega.pegarules.internal.web.servlet.WebStandardBoot</servlet-class>
<init-param>
<param-name>PegaEtierClass</param-name>
<!--  COMPONENTS: This was previously com.pega.pegarules.services.HttpAPI -->
<param-value>com.pega.pegarules.session.internal.engineinterface.service.HttpAPI</param-value>
</init-param>
<init-param>
<param-name>AuthenticationType</param-name>
<param-value>PRCustom</param-value>
</init-param>
<init-param>
<param-name>AuthService</param-name> --  TestLDAP1 
<!--<param-value>WebLDAP2</param-value> -->
<param-value>TestLDAP1</param-value>
</init-param>
<init-param>
<param-name>RuntimeServletName</param-name>
<param-value>PRWebLDAP2</param-value>
</init-param>
<init-param>
<param-name>SecureServletName</param-name>
<param-value>PRWebLDAP2Auth</param-value>
</init-param>

5)Now open new browser and enter the

 enter user and pwd from data you loaded through sample.ldif file.

 you can see the screen/portal which you are logging on.

 Please let us know if any other updation, we will update it, it will be helpful for others as well.
Posted by at No comments:
Subscribe to: Posts (Atom)