The Pega API requires the use of strong transport layer security, such as TLS 1.2, to help ensure the safety of the Pega API credentials transferred using HTTP basic authentication. The Pega API will function without such basic security measures, however, it us strongly recommended that you use them.
To configure security:
Deploy the Pega application using TLS/SSL. You can do this by creating and installing TLS/SSL digital certificates on your web application server for the Pega application. Refer to the documentation for your server for instructions on how to do this.
Confirm that the Pega API is configured to use TLS/SSL. This is enabled by default. On the Edit Service Package dialog box for the API service package, ensure that Requires authentication, Use TLS/SSL (REST only), and Suppress Show-HTML are selected.
Test the Pega API in Designer Studio and ensure that:
the URL starts with "https://"
the connection is using TLS 1.2
the user is prompted for their Pega credentials the first time the Pega API is used in a browser session
The role PegaRULES:PegaAPI must explicitly added to a user's access group in order for them to be able to use the Pega API. This is done when creating a new application.