Mashup URL obfuscation without PRGateway
Hi All,
In my customer, we are using Mashup with no gateway and Pega 7.2.1. After sniffing the traffic between a third party application we have to integrate with for authentication purposes, I can see that the headers are in clear text and that is something we want to avoid (STANDARD?pyActivity=%40baseclass.doUIAction&action=display&harnessName=XXX&className=XXY...).
I was checking the URL obfuscation and enncryption but I am having some troubles in having that work. I have added to prconfig the following entries :
<env name="initialization/SubmitObfuscatedURL" value="required" />
<env name="initialization/URLEncryption" value="true" />
But it has not worked as expected, in fact it does not work. Is it mandatory to have the PRGateway in order to have this working? Does anyone know how to achieve it?
Many thanks!
Pegasystems Inc.
IN
Hi Herim,
For the URL obsfucation, you need not to have PRGateway. We need to just update the prconfig.xml with the parameters you have used. i.e.:
<env name="Initialization/SubmitObfuscatedURL" value="required"/>
<env name="Initialization/Urlencryption" value="TRUE"/>
Could you please clarify , what issues you are facing .
Thank you
Pegasystems Inc.
ES
Hi abhishek,
I am getting the following error, when having those settings : Obfuscated URL tampering - unable to derive cleartext data
Without those settings it does work but the user ,authenticated, can snif the traffic and see the headers in clear text ... Any ideas beyond those settings? Anything else I may be missing?
Many thanks!
Pegasystems Inc.
ES
Hi abhishek,
Do you know what is the correct notation to specify in the mashup file that the traffic is encrypted? (like in the old approach having the gateway : pega.web.config.encrypt = "true") - I dont know if this may be a configuration issue in the Mashup file also, as I have set to use url encryption (retired the obfuscation) and if I access directly to the auth service it does work, but when doing it through mashup it does not go forward, just get a blank screen and no entries in the log file.
I have checked for the new notation on mashup, but I have not been able to find anything related to the encryption.
Thanks a lot!
P.S: I just found this out : https://pdn.pega.com/support-articles/url-encryption-not-working-web-mashupnon-gateway
Does this mean that we can't either encrypt nor obfuscate the url without the Gateway? Could anyone confirm?
Many thanks!
Department of Planning Industry and Environment
AU
also any ideas to make the url invisible or mask that is available in the mashup code, because when the user rightclick and view the source of the web page the entire url is visible.
<!DOCTYPE html> <html lang='en-AU' class="wk chrome yui-skin-sam"> <head>
<meta name="viewport" content="initial-scale=1, maximum-scale=1"> <title>Shift Management Front End portal</title>
<LINK id="favicon" REL="SHORTCUT ICON" type="image/png" HREF="webwb/CiscaFavIconRed.png" >
also any ideas to make the url invisible or mask that is available in the mashup code, because when the user rightclick and view the source of the web page the entire url is visible.
<!DOCTYPE html> <html lang='en-AU' class="wk chrome yui-skin-sam"> <head>
<meta name="viewport" content="initial-scale=1, maximum-scale=1"> <title>Shift Management Front End portal</title>
<LINK id="favicon" REL="SHORTCUT ICON" type="image/png" HREF="webwb/CiscaFavIconRed.png" >
<link rel="stylesheet" type="text/css" href="webwb/pzjquery-ui_12425559562.css!pega_yui_styles_min_13103393942!!.css"> <!-- Style for runtime editing --> <link rel="stylesheet" type="text/css" href="webwb/reports_core_11784546932.css!!.css"> <link rel="stylesheet" type="text/css" href="webwb/pzskinv2_tnswexternaluiff7d1e4bbb3f600f24fed16ea7d091915ed47fda6ef7b5c3d415acc81faf94ea_full_11383043448.css!!.css"> <script> pega_ui_statetracking_TopOfDoc = Date.now(); var uwtClientStart = new Date().getTime(); if (!pega) var pega = {}; if (!pega.desktop) { pega.desktop = {}; pega.d = pega.desktop; } pega.desktop.loadTime = new Date().getTime(); pega.d.csrfToken = "" ; pega.d.obfuscateKey = "1370aa6d1544407892e4d6e450c93d7a" ; pega.d.pyUID = "ciscaExternal"; pega.d.pxReqURI = "/prweb/IAC/QNCdCDcIuHXy06XwX0uPooOpJdVQ9vJl*/!STANDARD"; pega.d.pxHelpURI = "http://localhost:9080/prhelp"; pega.d.pxPdnURI = "https://pdn.pega.com/products/pega-721"; var requestHomeURI = "http://mnst.mps.mel.com.au:80/prweb/IAC/QNCdCDcIuHXy06XwX0uPooOpJdVQ9vJl*"; pega.d.currAG ="CiscaMgmtWeb:User"; pega.d.isPortlet = false; pega.d.desktopType = "Composite"; pega.d.desktopSubType = "Composite"; pega.d.pzUnitTestPKey = "CiscaMgmtCaseManager"; var bEncryptURLs = false; var DesktopUserSessionInfo_gStrOperatorId = "FEUserExternal"; var DesktopUserSessionInfo_gStrUserName = "Frond End User"; var DesktopUserSessionInfo_gStrCurrentWorkPool = "MNST-Maps-MFE-Work"; var DesktopUserSessionInfo_gStrStartPage = "Work"; var DesktopUserSessionInfo_gStrDesktopType = "Composite"; var gLayoutType = "header"; var gOverridePreferences = "false"; var gPersonalRuleSetName = "coscaExternal@"; var gWelcomeHTML = "WelcomeScreen"; var gPortalWarnDirty=true; var gPDNQueryURI="https://pdn.pega.com/products/pega-721"; var gCurrentAccessGroup="CiscaMgmtWeb:User"; var gRecoverPreferences = "false"; var gToolsSpaceExists = false; var gRulesSpaceExists = false; var DesktopUserSessionInfo_isAccessible = false; var gIsPegaDeveloper = false;
Pegasystems Inc.
IN
Hi Herim,
The Pega Web Mashup Gateway servlet is required if you want to use URL obfuscation with your Pega Web Mashup gadget.
See below article for more information: