Question
JPMC
US
Last activity: 10 Sep 2015 16:14 EDT
Pega's authentication process
Hi All,
Could someone please help me with my below queries?
1. How does pega' OOTB authentication process works - meaning what algorithm, encryption and key it uses to authenticate user on login. Is there any document which I can refer to my security team to provide them a high level flow of authentication process in pega.
2. Due to security audit, we have to remove all OOTB operator IDs from Production environment whether it has Administrator role or not - So is it safe to remove all OOTB operator IDs including [email protected]? FYI- we are not using any custom agent or schedules as scheduled job are controlled from outside pega.
-
Like (0)
-
Share this page Facebook Twitter LinkedIn Email Copying... Copied!
Accepted Solution
Pegasystems Inc.
US
A description of the login process:
Passwords stored in the PRPC database are salted and hashed (one-way). When a user first connects to PRPC from a browser and is therefore not authenticated, they are prompted for a username and password. The username is matched to an instance in Data-Admin-Opeator-ID. If a match is found the entered password is salted using the same salt found in the operator instance, then hashed, then compared to the stored password. If the values match, the user has successfully authenticated.
Answers to your questions:
1. I'm not sure what is meant by 'something goes wrong', but as you can see from my description that passwords are hashed, not encrypted. So there are no keys involved that could be lost or stolen.
2. The login screen can be customized and I believe this is documented on the PDN, though not exactly sure where. The error message is vague for a very good reason: security. Telling the hacker that their login attempt failed because the password is wrong informs them that they have entered a valid username. Why would we want to give that information to a hacker? I understand that a vague message is not user friendly, but that is the price we must pay for security.
Updated: 3 Sep 2015 22:36 EDT
Pegasystems Inc.
JP
Have you read below PDN articles? The contents may not be the direct answer to your question, but worth to check.
https://community.pega.com/security/security-overview
https://pdn.pega.com/resources/tutorials/authentication-overview
JPMC
US
Thank you so much for your response Chunzhi!!
Yes I happen to read first article but could not find the answer to my audit team's questions. Second article is giving general over-view of related topic and not actually what latest versions of pega actually implements for authentication. I have raised SR for the same to get some information.
I would like to utilize your deep knowledge in pega to get answer to my other 2 related queries"
1. In case something goes wrong with pega's internal authentication process(lets say authentication encryption/decryption key or token gets corrupted or class gets corrupted) then how does pega overcome and restore its authentication process.
2. By default pega displays "The information you entered was not recognized." error message on unsuccessful login attempt all time whether user id is invalid or password is invalid or password is expired, Can this message be customized to display more specific message to the user.
Pegasystems Inc.
JP
I am not the Security experts and I can't answer your questions, may be Marty Solomon can provide you some insights.
JPMC
US
Thanks again Chunzhi! I will wait for Marty or someone else to provide some more details on this.
Below document is for v53 but explains Pega Authentication process in a detailed manner -
https://pdn.pega.com/documents/authentication-in-pegarules-process-commander-v53
As for the OOTB operators, you can disable PRServlet in production so that you are not able to log in using OOTB username and passwords.
JPMC
US
Thank you Abhishek!!
This document looks like I can find some of my answers, I will go through it and let you know if I need anything else. The only concern is that this document is v5.3 specific so not sure if something has changed in pega 7.
Pegasystems Inc.
JP
Regarding the second questions, I think you need an operator who has admin role in your production system, so maintenance tasks for example: installing hotfix, troubleshooting a stucked flow can be done easily.
Of course in that case you need to mornitor the security log to insure there is no abuse of the admin user id.
Accepted Solution
Pegasystems Inc.
US
A description of the login process:
Passwords stored in the PRPC database are salted and hashed (one-way). When a user first connects to PRPC from a browser and is therefore not authenticated, they are prompted for a username and password. The username is matched to an instance in Data-Admin-Opeator-ID. If a match is found the entered password is salted using the same salt found in the operator instance, then hashed, then compared to the stored password. If the values match, the user has successfully authenticated.
Answers to your questions:
1. I'm not sure what is meant by 'something goes wrong', but as you can see from my description that passwords are hashed, not encrypted. So there are no keys involved that could be lost or stolen.
2. The login screen can be customized and I believe this is documented on the PDN, though not exactly sure where. The error message is vague for a very good reason: security. Telling the hacker that their login attempt failed because the password is wrong informs them that they have entered a valid username. Why would we want to give that information to a hacker? I understand that a vague message is not user friendly, but that is the price we must pay for security.
JPMC
US
Thank you so much Marty Solomon!! This is really good information for me. Could you please confirm what algorithm are we using in pega v7.1.5 for Password hashing? Is it MD5 or HSA-1? and can we utilize SHA-256 with v7.1.5?
Pegasystems Inc.
US
The default value is MD5.
SHA-256 was introduced in 7.1.7.
JPMC
US
Thank you again Marty Solomon!! I think we need to get upgraded to v7.1.7 then.