Question
Are there any guide lines for security checks to be followed for the Pega Instance hosted inthe AWS cloud instance ?
our client is moving the pega setup to AWS cloud. The application hosted in the Pega cloud instance is going to be accessed over the web. Are there any guide lines available for the security checks to be followed to provide more security for the application ?
I have some problems with the web mashup code exposing the url of the system which we are accessing and also when we view the source of the ui the entire url is getting exposed. Is there any process of masking the url ?
<!DOCTYPE html> <html lang='en-AU' class="wk chrome yui-skin-sam"> <head>
<meta name="viewport" content="initial-scale=1, maximum-scale=1"> <title>Shift Management Front End portal</title>
<LINK id="favicon" REL="SHORTCUT ICON" type="image/png" HREF="webwb/CiscaFavIconRed.png" >
<link rel="stylesheet" type="text/css" href="webwb/pzjquery-ui_12425559562.css!pega_yui_styles_min_13103393942!!.css"> <!-- Style for runtime editing --> <link rel="stylesheet" type="text/css" href="webwb/reports_core_11784546932.css!!.css"> <link rel="stylesheet" type="text/css" href="webwb/pzskinv2_tnswexternaluiff7d1e4bbb3f600f24fed16ea7d091915ed47fda6ef7b5c3d415acc81faf94ea_full_11383043448.css!!.css"> <script> pega_ui_statetracking_TopOfDoc = Date.now(); var uwtClientStart = new Date().getTime(); if (!pega) var pega = {}; if (!pega.desktop) { pega.desktop = {}; pega.d = pega.desktop; } pega.desktop.loadTime = new Date().getTime(); pega.d.csrfToken = "" ; pega.d.obfuscateKey = "1370aa6d1544407892e4d6e450c93d7a" ; pega.d.pyUID = "ciscaExternal"; pega.d.pxReqURI = "/prweb/IAC/QNCdCDcIuHXy06XwX0uPooOpJdVQ9vJl*/!STANDARD"; pega.d.pxHelpURI = "http://localhost:9080/prhelp"; pega.d.pxPdnURI = "https://pdn.pega.com/products/pega-721"; var requestHomeURI = "http://mnst.mps.mel.com.au:80/prweb/IAC/QNCdCDcIuHXy06XwX0uPooOpJdVQ9vJl*"; pega.d.currAG ="CiscaMgmtWeb:User"; pega.d.isPortlet = false; pega.d.desktopType = "Composite"; pega.d.desktopSubType = "Composite"; pega.d.pzUnitTestPKey = "CiscaMgmtCaseManager"; var bEncryptURLs = false; var DesktopUserSessionInfo_gStrOperatorId = "FEUserExternal"; var DesktopUserSessionInfo_gStrUserName = "Frond End User"; var DesktopUserSessionInfo_gStrCurrentWorkPool = "MNST-Maps-MFE-Work"; var DesktopUserSessionInfo_gStrStartPage = "Work"; var DesktopUserSessionInfo_gStrDesktopType = "Composite"; var gLayoutType = "header"; var gOverridePreferences = "false"; var gPersonalRuleSetName = "coscaExternal@"; var gWelcomeHTML = "WelcomeScreen"; var gPortalWarnDirty=true; var gPDNQueryURI="https://pdn.pega.com/products/pega-721"; var gCurrentAccessGroup="CiscaMgmtWeb:User"; var gRecoverPreferences = "false"; var gToolsSpaceExists = false; var gRulesSpaceExists = false; var DesktopUserSessionInfo_isAccessible = false; var gIsPegaDeveloper = false;
Thanks,
Srikanth J
***Updated by moderator: Lochan to update Categories***
Hi Srikanth,
Please have a look into this URL (https://pdn.pega.com/security-checklist-pega-7-platform-applications/security-checklist-pega-7-platform-applications)
There are multiple Queryconfig/DSS settings available to enable the security level on PRPC. Some of these DSS setting require hotfixes to enable these settings if you are using a low version (5x,6x,7.1x).
For the use case mentioned above, you can make use of below queryconfig setting to encrypt the URL.Also, note some of these settings will have an impact like designer studio will not work etc.
I strongly recommend you to get the list of security setting available in your on premises environment and contact your Account Execute to check the feasibility of enabling the same on PEGA cloud.
If you are running with SSL, the data will be encrypted over the wire and it will not be a security concern.
Regards,
Sudhish OP