Question
Are there any guide lines for security checks to be followed for the Pega Instance hosted inthe AWS cloud instance ?
our client is moving the pega setup to AWS cloud. The application hosted in the Pega cloud instance is going to be accessed over the web. Are there any guide lines available for the security checks to be followed to provide more security for the application ?
I have some problems with the web mashup code exposing the url of the system which we are accessing and also when we view the source of the ui the entire url is getting exposed. Is there any process of masking the url ?
<!DOCTYPE html> <html lang='en-AU' class="wk chrome yui-skin-sam"> <head>
<meta name="viewport" content="initial-scale=1, maximum-scale=1"> <title>Shift Management Front End portal</title>
<LINK id="favicon" REL="SHORTCUT ICON" type="image/png" HREF="webwb/CiscaFavIconRed.png" >
<link rel="stylesheet" type="text/css" href="webwb/pzjquery-ui_12425559562.css!pega_yui_styles_min_13103393942!!.css"> <!-- Style for runtime editing --> <link rel="stylesheet" type="text/css" href="webwb/reports_core_11784546932.css!!.css"> <link rel="stylesheet" type="text/css" href="webwb/pzskinv2_tnswexternaluiff7d1e4bbb3f600f24fed16ea7d091915ed47fda6ef7b5c3d415acc81faf94ea_full_11383043448.css!!.css"> <script> pega_ui_statetracking_TopOfDoc = Date.now(); var uwtClientStart = new Date().getTime(); if (!pega) var pega = {}; if (!pega.desktop) { pega.desktop = {}; pega.d = pega.desktop; } pega.desktop.loadTime = new Date().getTime(); pega.d.csrfToken = "" ; pega.d.obfuscateKey = "1370aa6d1544407892e4d6e450c93d7a" ; pega.d.pyUID = "ciscaExternal"; pega.d.pxReqURI = "/prweb/IAC/QNCdCDcIuHXy06XwX0uPooOpJdVQ9vJl*/!STANDARD"; pega.d.pxHelpURI = "http://localhost:9080/prhelp"; pega.d.pxPdnURI = "https://pdn.pega.com/products/pega-721"; var requestHomeURI = "http://mnst.mps.mel.com.au:80/prweb/IAC/QNCdCDcIuHXy06XwX0uPooOpJdVQ9vJl*"; pega.d.currAG ="CiscaMgmtWeb:User"; pega.d.isPortlet = false; pega.d.desktopType = "Composite"; pega.d.desktopSubType = "Composite"; pega.d.pzUnitTestPKey = "CiscaMgmtCaseManager"; var bEncryptURLs = false; var DesktopUserSessionInfo_gStrOperatorId = "FEUserExternal"; var DesktopUserSessionInfo_gStrUserName = "Frond End User"; var DesktopUserSessionInfo_gStrCurrentWorkPool = "MNST-Maps-MFE-Work"; var DesktopUserSessionInfo_gStrStartPage = "Work"; var DesktopUserSessionInfo_gStrDesktopType = "Composite"; var gLayoutType = "header"; var gOverridePreferences = "false"; var gPersonalRuleSetName = "coscaExternal@"; var gWelcomeHTML = "WelcomeScreen"; var gPortalWarnDirty=true; var gPDNQueryURI="https://pdn.pega.com/products/pega-721"; var gCurrentAccessGroup="CiscaMgmtWeb:User"; var gRecoverPreferences = "false"; var gToolsSpaceExists = false; var gRulesSpaceExists = false; var DesktopUserSessionInfo_isAccessible = false; var gIsPegaDeveloper = false;
Thanks,
Srikanth J
***Updated by moderator: Lochan to update Categories***
Hi othos,
Sorry for late reply. I have gone through the details . do all the DSS setting need to be created or can i add them in the config file ?
Are there any other security measures i need to follow apart from these DSS settings ?
Thnaks,
Srikanth J
Hi Srikanth,
Please note,you need to speak to your security team and take decision which all settings are actually needed for your environment.
Yes,you can add these settings to prconfig as well.
Hi Srikanth,
Also, there are some security DSS settings (refer below pdn link) which can be used only by verifying the scenario, since it will break the developer portal of PRPC.
https://pdn.pega.com/support-articles/agent-and-agent-schedule-link-error
If you can discuss with your security team get the list of security measures going to implement in the environment then I can at least cross verify the known impact. Also, you can check the feasibility of enabling the security measure in application server itself instead of PRPC.
Hi Srikanth,
Please have a look into this URL (https://pdn.pega.com/security-checklist-pega-7-platform-applications/security-checklist-pega-7-platform-applications)
There are multiple Queryconfig/DSS settings available to enable the security level on PRPC. Some of these DSS setting require hotfixes to enable these settings if you are using a low version (5x,6x,7.1x).
For the use case mentioned above, you can make use of below queryconfig setting to encrypt the URL.Also, note some of these settings will have an impact like designer studio will not work etc.
I strongly recommend you to get the list of security setting available in your on premises environment and contact your Account Execute to check the feasibility of enabling the same on PEGA cloud.
If you are running with SSL, the data will be encrypted over the wire and it will not be a security concern.
Regards,
Sudhish OP