Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Narendra kumar reddy yerasi (NK_REDDY)
Cognizant

Cognizant
US
NK_REDDY Member since 2013 11 posts
Cognizant
Posted: Jun 9, 2016
Last activity: Jun 9, 2016
Posted: 9 Jun 2016 12:40 EDT
Last activity: 9 Jun 2016 15:27 EDT
Closed

SAML SSO : Retreive Keystore Password at Runtime

We are working on implementing SAML based SSO in PEGA 7.1.8 version and the problem we are facing is that we want to retrieve the Keystore password at run-time (by passing the encrypted string) instead of storing the Keystore password directly in the PEGA Database. PEGA OOB doesn't support this and we have raised SR as well and seems like this feature may not be available in near future. The problem with storing Keystore password directly in PEGA DB is that it may change and also security concerns as the same Keystore is used by many PEGA & Non-PEGA applications.

I am planning to override/customize Keystore related activities defined in Data-Admin-Security-SSO-SAML class to retrieve the KeyStore password using Java code and PEGA Keystore rule contains the encrypted string instead of actual password.

Keystore_Activities_in_PEGA.JPG

Please let me know if you have any suggestions or alternative solutions?

Thanks

Narendra

To see attachments, please log in.
Security

Posted: 8 years ago
Posted: 9 Jun 2016 14:10 EDT
Joel McLeish (JoelMcLeish)
PEGA
Senior Director, Service Assurance
Pegasystems Inc.
AU

At which point are you seeing the unencrypted password?

In was under the impression that in 7.1.8 pyKeystorePassword is encrypted; e.g. in the clipboard on the rule form I see: {pr}k/4VUg***********REDACTED

To see attachments, please log in.
Posted: 8 years ago
Posted: 9 Jun 2016 15:27 EDT
Narendra kumar reddy yerasi (NK_REDDY)
Cognizant

Cognizant
US

Hi Joel,

Thanks for your reply.

In 7.1.7 and 7.1.8, when we enter the Signing and Decryption passwords in the authentication rule form PEGA is storing them in Plain Text and we can see the entered passwords using the "View XML" of the authentication rule form. We have raised a SR for this and we got the Hotfix. I think in 7.2 this is fixed Natively and passwords are not visible using View XML.

The issue i am talking about is that our organization doesn't allow us to Store the KeyStore passwords in PEGA DB at all and instead we need to retrieve the Keystore password stored at the container level. We need some extension point to call our Java code, which gets the Keystore password at run time.

After debugging i found that, PEGA is creating the authentication request in com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils and com.pega.pegarules.integration.engine.internal.sso.saml.SAMLPostBindingHandler internal classes and I don't think we can do any customization for this.

Please let me know if you need more details.

To see attachments, please log in.

Related content:

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice