Applies to Pega Platform versions 6.1 through 7.3.1
Usage Note
If you are using a release earlier than Pega Platform version 7.4, follow the instructions in this document to obtain and run the utility that disables default operators with insecure passwords.
See the Pega 7.4 Release Notes, Enhancements, the Security 7.4 note, Improved operator security.
Heed the Warning!
Detect and disable default operators with insecure passwords
A new utility is available that detects and disables default operators included with Pega software that do not have secure passwords.
Disable all default operators included with Pega software or have their passwords changed to a non-default value.
Determine the hotfix you need
Request and install the hotfix
Know the caveats and options
Using the Designer Studio
Using the command line
Determine the hotfix you need
The utility for detecting and disabling default operators with insecure passwords is available in a hotfix (HFix) for the Pega Platform that you are using. The utility provided by the hotfix is planned to be permanently added to the Pega Platform in future releases starting with Pega Platform version 7.4.
Pega Platform version 7 Hotfixes
Pega Platform version 6 Hotfixes
Pega Platform version 7 Hotfixes
If you are using the Pega Platform version 7, find the hotfix that you need to request in the following table.
|
Pega 7 Version |
Hotfix Number |
|---|---|
|
7.3.1 |
HFix-38827 |
|
7.3 |
HFix-38828 |
|
7.2.2 |
HFix-38829 |
|
7.2.1 |
HFix-38845 |
|
7.2 |
HFix-38846 |
|
7.1.9 |
HFix-39174 |
|
7.1.8 |
HFix-39173 |
|
7.1.7 |
HFix-39172 |
|
7.1.6 |
HFix-39171 |
|
7.1.5 |
HFix-39170 |
|
7.1.2 |
HFix-39169 |
Pega Platform version 6 Hotfixes
If you are using Pega Platform version 6, find the hotfix that you need to request in the following table.
|
Pega 6 Version |
Hotfix Number |
|---|---|
|
6.3 SP1 |
HFix-39575 |
|
6.3 |
HFix-39166 |
|
6.2 SP2 |
HFix-39165 |
|
6.2 SP1 |
HFix-39164 |
|
6.1 SP2 |
HFix-38848 |
Request and install the hotfix
To request and install the hotfix that you need for your Pega Platform, follow these steps:
- Go to My Support Portal FAQs.
- Scroll to Submitting tickets > For something I need > Existing hotfix (HF-).
- In My Support Portal, complete the fields of the Existing hotfix service request form and submit the form.
- When you are notified, download the hotfix package provided by the support team and save it to your computer.
- See Applying hotfixes.
- When the hotfix installation is complete, restart your application server.
This step is necessary because the hotfix package includes Pega Engine code changes. - Log in to the system as a local administrator operator.
This is necessary to access and run the activity for the utility, pzDisableOperators.
Know the caveats and options
Warning
Optional prerequisite: Enable logging
Two ways to run the utility
Warning
The Disable Default Operators utility disables the operator [email protected].
Do NOT use this operator to run the utility: Use a local administrator operator.
Optional prerequisite: Enable logging
If you wish to have detailed information about the specific operator records disabled by this utility, you must first enable INFO level logging on the Pega Engine class com.pega.pegarules.deploy.internal.util.DisableOperatorsUtility.
Two ways to run the utility
You can run the Disable Default Operators utility in one of two ways:
Running the utility from the command line provides options to extend the scope of the utility.
Using the Designer Studio
Enable detailed logging (optional prerequisite)
Locate and run the utility
Enable detailed logging (optional prerequisite)
To enable INFO level logging on the Pega Engine class com.pega.pegarules.deploy.internal.util.DisableOperatorsUtility, change the logging level for this class from one of the following contexts:
- Designer Studio > System > Tools | Operations > Logs
- System Management Application (SMA) > Logging and Tracing > Log Level Settings
(The navigation path varies slightly depending on the Pega product release.)
Locate and run the utility
To locate and run the Disable Default Operators utility, complete the following steps:
- From the Designer Studio, search for the activity pzDisableOperators using the ‘old:’ keyword prefix.
Example: old:pzDisableOperators
The activity can be found only by using the ‘old:’ keyword prefix because it is marked as an internal rule. - To run the activity, from the Action menu, click Run.
When the activity finishes, a pop-up status window displaysStatus goodand the messageThe operation completed successfully, but returned no content. - Optional: Further verify successful completion of the utility by reviewing the PegaRULES logfile messages. You should see a message like the following example when the utility is run:
2017-12-08 17:40:20,074 [http-apr-8080-exec-3] [ STANDARD] [ ] [ PegaRULES:07.10] (Accel_Management_Import.Action) INFO your_server|your_client [email protected] - Disabling operators from activity started..........
2017-12-08 17:40:27,521 [http-apr-8080-exec-3] [ STANDARD] [ ] [ PegaRULES:07.10] (Accel_Management_Import.Action) INFO your_server|your_client [email protected] - Disabling operators from activity ended..........
Using the command line
As an alternative to using the Designer Studio, you can run the Disable Default Operators utility from the command line.
Prerequisites
Enable detailed logging (optional prerequisite)
Locate and run the utility
Prerequisites
Ensure that your system fulfills the following prerequisites:
- Java SDK version 1.7 or higher must be installed and available on the system path and the JAVA_HOME environment variable must be set.
- The PRPC or Pega Platform distribution media must be expanded to a working folder.
- A JDBC driver JAR file appropriate for your database type and version must be available in a folder on the computer.
- Database credentials must be set for a user who has DML access to the Pega database.
Enable detailed logging (optional prerequisite)
To enable INFO level logging on the Pega Engine class com.pega.pegarules.deploy.internal.util.DisableOperatorsUtility, change the logging level for this class for your version of the Pega Platform or PRPC.
Pega Platform 7.3 and later releases
Modify the logging settings in the file \scripts\config\prlog4j2.xml by adding the following logger:
<Logger name="com.pega.pegarules.deploy.internal.util.DisableOperatorsUtility" level="info"/>
All other Pega Platform releases
Modify the logging settings in the file \scripts\config\prlogging.xml by adding the following logging category:
<category name="com.pega.pegarules.deploy.internal.util.DisableOperatorsUtility" additivity="false">
<priority value="info"/>
<appender-ref ref="PEGA"/>
</category>
Locate and run the utility
To run the Disable Operators utility from the command-line, complete the following steps:
- Locate the three (3) Disable Operators script files included in the hotfix delivery file (DL-#####.zip) provided by GCS:
- disableOperators.sh – Unix/Linux shell script
- disableOperators.bat – Windows batch script
- disableOperators.xml – Ant project file
- Copy the scripts to the \scripts folder of the expanded PRPC or Pega Platform distribution media.
Important You must copy the scripts to the \scripts folder of the expanded distribution media because they rely upon other files and folders in the distribution media structure.
- Optional: If you would like to have detailed information about the specific operator records disabled by this utility, enable detailed logging.
- Run the Disable Operators script for your operating system with the required runtime parameters:
- For Windows, run disableOperators.bat.
UNIX or Linux, run disableOperators.sh. - Determine the appropriate values for the following runtime parameters based on your site’s configuration and pass them on the script execution command-line as shown in the example:
- For Windows, run disableOperators.bat.
--driverJAR
--driverClass
--dbType
--dbURL
--dbUser
--dbPassword
--rulesSchema
--dataSchema
Here is an example command-line for the Disable Operators script running on Windows:
C:\Pega\scripts\disableOperators.bat --driverJAR "C:\\Pega\\driver\\ojdbc6.jar" --driverClass oracle.jdbc.OracleDriver --dbType oracledate --dbURL jdbc:oracle:thin:@localhost:1521/Pega7 --dbUser pegaadmin --dbPassword pegaadmin --rulesSchema rules --dataSchema data
- After the Disable Operators script finishes running, you see a confirmation message similar to this example:
BUILD SUCCESSFUL
Total time: 1 minute 45 seconds
Exiting with NO Error - See Additional options for the utility.
Additional options for the utility
The Disable Operators utility always disables a hard-coded list of default product operators if they are found to be using a default password. Options are available for detecting additional sets of operators and additional password values, either separately or in combination.
Detecting additional operators
Detecting additional password values
Combining the optional parameters
Detecting additional operators
To detect an additional set of operators for default passwords, run the utility using the parameter operatorsfilePath and refer to a text file with a simple list of operator IDs (one ID per line), as shown in the following example:
C:\Pega\scripts\disableOperators.bat --driverJAR "C:\\Pega\\driver\\ojdbc6.jar" --driverClass oracle.jdbc.OracleDriver --dbType oracledate --dbURL jdbc:oracle:thin:@localhost:1521/Pega7 --dbUser pegaadmin --dbPassword pegaadmin --rulesSchema rules --dataSchema data –-operatorsfilePath C:\\Pega\\scripts\\myOperators.txt
You might want to use the operatorsfilePath option with the passwordsfilePath option described next.
Detecting additional password values
To check the hard-coded list of default product operators for additional password values and disable them if there is a match, run the utility using the parameter passwordsfilePath and refer to a text file with a simple list of password values (one per line), as shown in the following example:
C:\Pega\scripts\disableOperators.bat --driverJAR "C:\\Pega\\driver\\ojdbc6.jar" --driverClass oracle.jdbc.OracleDriver --dbType oracledate --dbURL jdbc:oracle:thin:@localhost:1521/Pega7 --dbUser pegaadmin --dbPassword pegaadmin --rulesSchema rules --dataSchema data –-passwordsfilePath C:\\Pega\\scripts\\myPasswords.txt
You might want to use the passwordsfilePath option with the operatorsfilePath option described previously.
Combining the optional parameters
If you use operatorsfilePath and passwordsfilePath in combination, be aware of the precedence of the utility’s behavior:
- First, the utility disables the hard-coded list of default product operators if their passwords match either the default value or the value specified in the file referred to by
passwordsfilePath. - Then the utility disables any operators specified in the file referred to by
operatorsfilePathONLY if their passwords match a value provided in the file referred to bypasswordsfilePath.
Get help
If you encounter issues installing and running the Disable Default Operators utility or if you have questions about it, post your questions to the Pega Support Center (PSC). The support engineers will answer your questions or determine and advise if you need to go to My Support Portal to submit a support case.
Related Content
Enabling, disabling, and deleting operators
Understanding default authentication profiles and operator IDs