Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Kingshuk Singha Mahapatra (KINGSHUK)
ING
Lead system architecht
ING
NL
KINGSHUK Member since 2011 1 post
ING
Posted: Jan 20, 2020
Last activity: Jan 30, 2020
Posted: 20 Jan 2020 10:20 EST
Last activity: 30 Jan 2020 13:52 EST
Closed

Clarification needed on some of the prconfig security settings.

Hello All,

Currently, We are in a process of implementing "prconfig security settings" . While doing so, we had doubts on some specific settings. Could anyone please provide some clarification on those.

PFA the pdf document about the doubtfull settings and the corresponding questions.

Infra : Pega Cloud 8.2.3

We have used below link to compare the security settings with the prconfig and DSS settings available in our infra.

https://community.pega.com/knowledgebase/articles/security-settings-prconfigxml-file

Thanks in advance!

To see attachments, please log in.
Pega Platform
Cloud Services
Security
System Administration

Posted: 4 years ago
Posted: 22 Jan 2020 17:46 EST
Brad Tainter (Br@dTainter_GCS)
PEGA
Fellow, Technical Support, Platform Service
Pegasystems Inc.
US

Hi KingShuk,

I would suggest opening an SR to have these settings reviewed in the context of your questions.  Once you open an SR, please respond here with the SR number.

 

To see attachments, please log in.
Posted: 4 years ago
Posted: 29 Jan 2020 4:49 EST
Anthony Gourtay (Anthony_Gourtay)
Proximus
Expert Engineer - PEGA Application Management
Proximus
BE

We're not on PEGA cloud and we validated security requirements with below setup on 7.3.1
       <env name="authentication/trojanhorseprotection/default" value="1"/>
        <env name="HTTP/UseNoCacheHeaders" value="true"/>
        <env name="cookie/HttpOnly" value="true"/>
        <env name="HTTP/SetSecureCookie" value="false"/> 
        <env name="initialization/DisplayExceptionTraceback" value="false"/>
        <env name="initialization/ErrorOnInvalidThreadName" value="true"/>
        <env name="initialization/DisableAutoComplete" value="true"/>
        <env name="initialization/PromoteEmbeddedPortals" value="true"/>

Our Pega apps are internal and not Internet exposed.
SetSecureCookie to true was creating issue on our side, so we kept it to False.
If this can help...
Regards
Anthony

To see attachments, please log in.
Posted: 4 years ago
Posted: 30 Jan 2020 6:18 EST
Anthony Gourtay (Anthony_Gourtay)
Proximus
Expert Engineer - PEGA Application Management
Proximus
BE

If I remember well, application was not coming up with SetSecureCookie on true
I think that you need to be 100% https to use this param on True (to be confirmed)
You could either directly try it with True and see what's happening or keep this one on False while you play with other params. When you've found a setup fine for you, then turn this last one to True.
Regards
Anthony

To see attachments, please log in.
Posted: 4 years ago
Posted: 30 Jan 2020 13:52 EST
Brad Tainter (Br@dTainter_GCS)
PEGA
Fellow, Technical Support, Platform Service
Pegasystems Inc.
US

Hi,

If SetSecureCookie is enabled and you try to access the Pega Application via http://... you will fail.  This setting forces you to access only via https://...

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice