Pega 7.3 - Disable default login
Hi,
Is it possible to disable the default login so that users created with applications and the standard pega users (i.e [email protected]) can't login?
I have a safety mechanism for automatically configuring LDAP via CLI which doesn't use the administrator account (to the best of my knowledge) so if a malicious actor gained control/a mistake was made then I can always re-apply the LDAP credentials, organizational unit and model user ([email protected]) so that they can manually reconfigure everything again.
Thanks,
Elliot
***Moderator Edit: Vidyaranjan | Updated Categories***
Accepted Solution
Macquarie Group
AU
After consultation with Pega, the solution is to comment out the following sections in the web.xml file for prweb:
<servlet-mapping> <servlet-name>WebStandard</servlet-name> <url-pattern>/PRServlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>WebStandard</servlet-name> <url-pattern>/PRServlet/*</url-pattern> </servlet-mapping> <!--
<servlet-mapping> <servlet-name>WebStandard</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping>
This actively disables the default login provided by Pega.
Pegasystems Inc.
IN
Hello,
you can check the “Use external authentication” check box in “Security” tab of Operator profile, so that users can login using SSO/LDAP only.
Thanks,
Gisela
Macquarie Group
AU
Hi Gisela,
I understand that you can do this but this requires both manual effort and can potentially miss a default operator. Furthermore, when a new application is created four new users are created which would create a security issue until someone checked the "use external authentication" for each of the users which will probably be missed at some point in time.
Thanks,
Elliot
Pegasystems Inc.
IN
Hi Elliot,
Yes, I get your point.
This was the only way I was aware of.
Let us wait for the other experts to share their thoughts.
Thanks,
Gisela
Pegasystems Inc.
IN
Hi Elliot,
We noticed that you have created SR-B67598 with Pega Global Customer Support team. We believe that the SR is for the above query. Please confirm.
Regards,
Pegasystems Inc.
IN
Thanks Elliot!
In such scenarios, we'd recommend that you continue investigation over the SR to maintain 1 thread of troubleshooting. We will continue to track the SR investigation from this post.
Regards,
Macquarie Group
AU
Hi Lochan,
I have also been advised by the SR contact that the question should be answered via the community instead of the SR ticket. There is also an option to add an SR ticket to the community question which, at least in my mind, provides logical assumption that you can ask both since they can be tied together (so long as the ticket is raised before the community question).
I have also notified our account representative with both the community posts and the SR tickets for this (as well as other issues) in a single email and they did not notify us that we should not take that approach.
How do you think I should proceed since I have multiple tickets/questions in the community which are several days old which have not been answered yet?
Thanks,
Elliot
Pegasystems Inc.
IN
Hi Elliot,
Thank you for bringing this up. I have sent you a PDN private message with more details for this specific use case and also to open up a specific channel of communication between us.
Regards,
Pegasystems Inc.
AU
Hello Elliot,
You can modify web-login HTML rule to only display the login page for specific servlet(s) user want to use, else display access denied message. Simple when condition based on pxRequsetor.pxReqServletNameReal and also need to set the operators to external only to prevent URL level access for those users.
Regards,
Basavaraj
Pegasystems Inc.
AU
Hi Elliot,
Yes, you will have to check the external authentication so that the PRPC default users wont be able to login using prservlet url.
Regards,
Basavaraj
Macquarie Group
AU
Hi Basavaraj,
I would assume that this wouldn't disable the login as the users can still login via the default url if they don't have "external authentication" checked which masks disabling the default authentication. Thank you for trying to assist though!
Thanks,
Elliot
Pegasystems Inc.
AU
Hi Elliot,
Yes, by selecting the external authentications users will not be able to login with default prpcbasic authentication and they will be only able to login with the external authentication configured for such users.
Regards,
Basavaraj
Macquarie Group
AU
Hi Basavaraj,
This doesn't fulfill the requirement of disabling the default authentication as it doesn't actually disable the default authentication. All it does is force specific, in your suggestion all users, to use an external authentication for which there is none. However, if a user then unchecks this, creates a new application within Designer Studio or creates a new user without checking the flag then they can authenticate using the default Pega login which the service management team, using your example steps, would think is impossible to do.
Kind regards,
Elliot
Pegasystems Inc.
IN
Hi,
To disable few operators, you can use Operator Access landing page (Designer Studio --> Org & Security --> Authentication -->Operator access) and disable selected operators. Regarding default operators that get created with new application, we can optionally skip the creation of default operators from Advanced configuration.
Thanks,
Santhosh
Macquarie Group
AU
Hi Bagas,
I have previously responded in this question to the first part of your response r.e. manually disabling which I have included below.
You can optionally skip this and if this occurs it will create a security hole in the implementation since everyone knows the default passwords for all users.
Thanks,
Elliot
Previous response: I understand that you can do this but this requires both manual effort and can potentially miss a default operator. Furthermore, when a new application is created four new users are created which would create a security issue until someone checked the "use external authentication" for each of the users which will probably be missed at some point in time.
Pegasystems Inc.
IN
Hi,
If it is to be done post installation, AFAIK it has to be done manually. But for fresh installations , you can use secure mode installation to deactivate all pega supplied operators except "[email protected]". To activate those operators post installation, you can use Operator Access landing page (DesignerStudio --> Org & Security --> Authentication -->Operator access).
For new applications, you can skip creation of default operators.
Thanks,
Santhosh
Macquarie Group
AU
Hi Bagas,
This still doesn't disable the login as [email protected] can still login. Thank you for your assistance though!
Thanks,
Elliot
Accepted Solution
Macquarie Group
AU
After consultation with Pega, the solution is to comment out the following sections in the web.xml file for prweb:
<servlet-mapping> <servlet-name>WebStandard</servlet-name> <url-pattern>/PRServlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>WebStandard</servlet-name> <url-pattern>/PRServlet/*</url-pattern> </servlet-mapping> <!--
<servlet-mapping> <servlet-name>WebStandard</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping>
This actively disables the default login provided by Pega.