TLS Handshake for REST API Calls from Pega Platform to Constellation App Static and Messaging Containers

I would like to set up a local learning environment for Constellation, including the App Static and Messaging containers. By reading the documentations, it’s my understanding that Pega platform sends customer authored content to the App Static and Messaging containers using REST API.

Given that it is a local learning environment, I was planning to use self-signed certificates for TLS connections. I have the following questions regarding the REST calls from the Pega platform to AppStatic and Messaging services:

1. Are these calls using Connect-REST rules? If yes, can someone share what they are?

2. Can I assume that I can use this approach https://docs.pega.com/bundle/platform/page/platform/security/managing-x509-certificates.html to import the certificates into the Pega platform, assuming it’s “YES” to question 1.

3. If the answer to Question 1 is NO, does it mean the certificates have to be imported into the CACERTS of the app server?

Your help is very much appreciated.

Thanks,
Terence

Hi Terence,

The calls are coded in the engine, not in Connect-REST rules. With self signed certs, the usual lookup in the truststore will fail. There is a work around; add the cert to the Infinity Java cacerts folder. I will forward this request to our security team for more explicit details.

Thanks

Nigel

@NigelJohnson thank you for looking into this. Just one more thing, can you also share how to validate that the calls to the the two containers? E.g, is there something in App / Dev Studio that can be launched?

@NigelJohnson

You can create a jks file with full cert chain and upload it to keystore.

You can run pxAddCertificatesToPlatformTruststore activity and input the above keystore. This will add all certs to Platform Truststore.

Depending on the Pega versions and specific rules, it will look in to Platform Truststore during cert validation. For most of the rules, the recent versions 23.x, 24.x generally look in to Platform Truststore for certs validation.

The other alternative options are, adding full chain of certs to default java cacerts file or using below jvm arguments (sample file names). These alternative options requires a restart.

As this requires a restart, it is not recommended. If needed, use this as a last option.

-Djavax.net.ssl.trustStore=/path/to/cacerts.jks and -Djavax.net.ssl.keyStore=/path/to/keystore.jks

@chenn1 … thanks for your reply.

Are you saying that the Platform Truststore approach described in https://docs.pega.com/bundle/platform/page/platform/security/managing-x509-certificates.html will be able to support the custom authored content communication from Pega platform to the App Static and Messaging containers via REST API?

tagging @NigelJohnson here as well.

@TerenceY0215

Are you running in to any issues in your use case?

If yes, and if you are using OOTB in this case, please open a support case.

@chenn1 … I am not running into an issue.

This was a question about how Pega platform sends customer authored content to the App Static and Messaging containers using REST API. Based on what @NigelJohnson mentioned above, these calls are not Connect-REST calls, instead they are coded in the engine.

@chenn1 , I thought you reply explained that even though these are not using Connect-REST calls, the platform truststore should still work. That’s the reason I posted the reply above.