Could someone please help me with my below queries?
1. How does pega' OOTB authentication process works - meaning what algorithm, encryption and key it uses to authenticate user on login. Is there any document which I can refer to my security team to provide them a high level flow of authentication process in pega.
2. Due to security audit, we have to remove all OOTB operator IDs from Production environment whether it has Administrator role or not - So is it safe to remove all OOTB operator IDs including Administrator@pega.com? FYI- we are not using any custom agent or schedules as scheduled job are controlled from outside pega.
Yes I happen to read first article but could not find the answer to my audit team's questions. Second article is giving general over-view of related topic and not actually what latest versions of pega actually implements for authentication. I have raised SR for the same to get some information.
I would like to utilize your deep knowledge in pega to get answer to my other 2 related queries"
1. In case something goes wrong with pega's internal authentication process(lets say authentication encryption/decryption key or token gets corrupted or class gets corrupted) then how does pega overcome and restore its authentication process.
2. By default pega displays "The information you entered was not recognized." error message on unsuccessful login attempt all time whether user id is invalid or password is invalid or password is expired, Can this message be customized to display more specific message to the user.
This document looks like I can find some of my answers, I will go through it and let you know if I need anything else. The only concern is that this document is v5.3 specific so not sure if something has changed in pega 7.
Regarding the second questions, I think you need an operator who has admin role in your production system, so maintenance tasks for example: installing hotfix, troubleshooting a stucked flow can be done easily.
Of course in that case you need to mornitor the security log to insure there is no abuse of the admin user id.
Passwords stored in the PRPC database are salted and hashed (one-way). When a user first connects to PRPC from a browser and is therefore not authenticated, they are prompted for a username and password. The username is matched to an instance in Data-Admin-Opeator-ID. If a match is found the entered password is salted using the same salt found in the operator instance, then hashed, then compared to the stored password. If the values match, the user has successfully authenticated.
Answers to your questions:
1. I'm not sure what is meant by 'something goes wrong', but as you can see from my description that passwords are hashed, not encrypted. So there are no keys involved that could be lost or stolen.
2. The login screen can be customized and I believe this is documented on the PDN, though not exactly sure where. The error message is vague for a very good reason: security. Telling the hacker that their login attempt failed because the password is wrong informs them that they have entered a valid username. Why would we want to give that information to a hacker? I understand that a vague message is not user friendly, but that is the price we must pay for security.
Thank you so much Marty Solomon!! This is really good information for me. Could you please confirm what algorithm are we using in pega v7.1.5 for Password hashing? Is it MD5 or HSA-1? and can we utilize SHA-256 with v7.1.5?