Pega Platform 8.8.3 - Encrypting system data by using a custom key management service
Pega Platform 8.8.3 - Encrypting system data by using a custom key management service
- I’ve created a GetCustomMccmMasterKey activity under Data-Admin-Security-Keystore class.
I am getting “Failed to add keystore to cache error” message after executing activity. Is there any way to successfully add keystore to cache and get this issue resolved?
I’ve also created a data page described in second step of the document in link below. However, we should resolve the activity error issue first to move further steps.
References
Encrypting application data by using a custom key management service (pega.com)
Other Encryption Approach We Tried After Failing Encrypting system data by using a custom key management service
Pega Platform 8.8.3 - Encrypting system data by using a custom key management service
- I’ve created a GetCustomMccmMasterKey activity under Data-Admin-Security-Keystore class.
I am getting “Failed to add keystore to cache error” message after executing activity. Is there any way to successfully add keystore to cache and get this issue resolved?
I’ve also created a data page described in second step of the document in link below. However, we should resolve the activity error issue first to move further steps.
References
Encrypting application data by using a custom key management service (pega.com)
Other Encryption Approach We Tried After Failing Encrypting system data by using a custom key management service
- We have used methods (tools.getPRCrypto().encrypt(dataContent) and tools.getPRCrypto().decrypt(dataContent)) from the engine api in order to find different way to achieve encrypt and decrypt on pega platform. However, it is working like one way encryption so we could not achieve decryption with this approach.
Whenever we call tools.getPRCrypto().decrypt(dataContent) function, we are expeting to see “Mert” value but it is showing the encrypted text.
Regarding Other Encryption Approach We Tried After Failing Encrypting system data by using a custom key management service, approach I've realised that it is actually working as the pop-up includes the encrypted text trimmed appeared after Show-Property Activity method so that whenever testing decryption with the encrypted text appeared in the pop-up the same value appeared so the perception was two way encryption / decryption not works with the plain text. I've realise that whenever writing the encrypted text in one of DB table, there are some space and the tab character at the beginning of {pr}... encrypted text persisted in one of DB table column so whenever testing the decryption with the actual value (copied directly from the DB table column), cipher text decrypted successfully. Nevertheless, this approach is not recommended for encrypting the application data as you can read my last post in this thread. One last note from my end is that apart from the java codes shared in the image, I've used encryptPW and decryptPW functions but looks like those functions are also using similar java codes in those function rules. I've executed my latest tests on Pega platform 24.2.2 version. I think 8.8.3 version was also working literally same as Pega platform 24.2.2.
Regards. Mert.
Accepted Solution
Updated: 7 Oct 2025 8:50 EDT
Bentego
TR
Hi @Vijay1011
We've moved forward with configuring a HashiCorp Vault keystore in Pega platform 8.8 version. Before that we had to install HashiCorp Vault community edition in order to conduct a PoC. We've successfully brought the encrypting / decrypting the Pega application data mechanism. However, we faced some issues with convincing the security department of organization for production. They could not be convinced to purchase HashiCorp Vault enterprise just for our implementation. They recommend us to integrate with their kind of hardware encryption with following pkcs standards.
If your organization is already using HashiCorp Vault enterprise edition or willing to purchase, I highly recommend you to stick with "configuring a HashiCorp Vault keystore". In addition, we have experienced this configuration on Pega platform version 8.8 and now the platform version has been upgraged to 24.2.2 but I do not expect that you will face issues if your platform version above the Pega platform version 8.8. Good luck.
Regards.
Mert.
Pegasystems Inc.
IN
@m.caldag On your first case, I Hope you seeing the issue when trying to run the activity using the Action-> Run button , Have you tried completely configuring the keystore settings and check if the property got encrypted Thank you ! Manojkumar
Bentego
TR
@Manojkumar_ J Yes, I have tried but did not mention them before finding a solution for the issue I faced initially.
When I try to generate a keystore, some validation causing fails.
When I check the log for more information, I have seen the log below.
java.lang.NullPointerException
Updated: 12 Jun 2024 10:05 EDT
Pegasystems Inc.
GB
@m.caldag please log a support issue via the MSP if you need help from our support team. Please provide the INC ticket id here.
Bentego
TR
@MarijeSchillern INC-B26954
Pegasystems Inc.
GB
@m.caldag INC-B26954 was a ticket that simply referred back to this forum question, which is a 'How to' question.
Our support team therefore closed it, requesting that guidance regarding encrypying app data by using a custom key management service is something someone here on the forum should be able to help you with.
I provided possible reasons for the NullPointer in my earlier response.
Bentego
TR
@MarijeSchillern No, It is not a how to question. It is a support request in order to have some solution on an issue occured while configuring rules in the light of documentation below.
Encrypting application data by using a custom key management service (pega.com)
Updated: 7 Oct 2025 8:50 EDT
Pegasystems Inc.
GB
@m.caldag did you log a support ticket for your "java.lang.NullPointerException "?
Please can you provide the final solution to this question?
The "java.lang.NullPointerException" error typically occurs when you're trying to use a reference that points to no location in memory (null) as though it were referencing an object. In the context of generating a keystore for system data encryption using a custom key management service, this could mean that there might be an issue with the configuration of your custom key management service, the data page, or the activity that accesses the custom KMS. Please ensure that:
- The activity that accesses the custom KMS is correctly configured and able to retrieve the master key.
- The data page is correctly set up to load the activity and pass the necessary parameters.
- The keystore is correctly configured to load from the data page.
If the issue persists, it would be helpful to review the full stack trace of the error in the log file to identify the exact line of code causing the issue.
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Encrypting system data by using a custom key management service
Accepted Solution
Updated: 7 Oct 2025 8:50 EDT
Bentego
TR
Hi @Vijay1011
We've moved forward with configuring a HashiCorp Vault keystore in Pega platform 8.8 version. Before that we had to install HashiCorp Vault community edition in order to conduct a PoC. We've successfully brought the encrypting / decrypting the Pega application data mechanism. However, we faced some issues with convincing the security department of organization for production. They could not be convinced to purchase HashiCorp Vault enterprise just for our implementation. They recommend us to integrate with their kind of hardware encryption with following pkcs standards.
If your organization is already using HashiCorp Vault enterprise edition or willing to purchase, I highly recommend you to stick with "configuring a HashiCorp Vault keystore". In addition, we have experienced this configuration on Pega platform version 8.8 and now the platform version has been upgraged to 24.2.2 but I do not expect that you will face issues if your platform version above the Pega platform version 8.8. Good luck.
Regards.
Mert.
Updated: 14 Nov 2025 12:05 EST
Bentego
TR
Hello @Vijay1011,
Alternatively, If you have some urgeny about this requirement, you may also encrypt / decrypt the application data with using either site-specific or portable cipher through the @encryptPW function (not sure which one is used under the hood but probably site-specific chipher) and @decryptPW function without configuring Application data encryption under System - Settings landing page. What I understood is that Pega platform is using this technique to perform encryption and decryption activities of data related Pega platform rule and data instances such as password under Authentication Profile and etc. One of the limitation we are going to encounter in case we choose this technique is that if you need to decrypt cipher text out of Pega platform or migrate the encrypted data-in-rest to another DB which is associated with another Pega platform environment, you have to know the key but we do not know in this approach and I do not know where Pega platform store this key or if second example happening, key in the another environment must be the same with the environment encrypt this data earlier that's why I think they are recommending other techniques for application data encryption. Although, Pegasystems is not recommending to perform encryption and decryption of application data with this technique, it is a solution at least.
Recommended approaches for encrypting application data listed below as official reference.
Hello @Vijay1011,
Alternatively, If you have some urgeny about this requirement, you may also encrypt / decrypt the application data with using either site-specific or portable cipher through the @encryptPW function (not sure which one is used under the hood but probably site-specific chipher) and @decryptPW function without configuring Application data encryption under System - Settings landing page. What I understood is that Pega platform is using this technique to perform encryption and decryption activities of data related Pega platform rule and data instances such as password under Authentication Profile and etc. One of the limitation we are going to encounter in case we choose this technique is that if you need to decrypt cipher text out of Pega platform or migrate the encrypted data-in-rest to another DB which is associated with another Pega platform environment, you have to know the key but we do not know in this approach and I do not know where Pega platform store this key or if second example happening, key in the another environment must be the same with the environment encrypt this data earlier that's why I think they are recommending other techniques for application data encryption. Although, Pegasystems is not recommending to perform encryption and decryption of application data with this technique, it is a solution at least.
Recommended approaches for encrypting application data listed below as official reference.
