The Assisted Sign-On component in Pega® Robotic Automation Studio is based on the Windows Data Protection API (DPAPI). DPAPI encrypts data using a private key derived from a user’s Windows identity. Once encrypted, data can only be decrypted by the same Windows user. For more information, refer to this web page:
Here are some frequently asked questions about the Assisted Sign-On component:
Where are credentials stored?
Credentials are stored locally on the machine in an encrypted file located by default under the user’s application data roaming directory. The Assisted Sign-On component does not use a central server. Here is an example:
C:\Documents and Settings\John Doe\AppData\Roaming\OpenSpan\ASO.db
You can change the file location by modifying the FileLocation option in the AssistedSignOn section of the RuntimeConfig.xml file. You can change the location to other known .NET special folders, Environment variables, or a fully-qualified path.
How are credentials stored?
The Assisted Sign-On component will persist these strings:
- Application name
- User name
You can optionally store the password if you set the StorePassword option in the AssistedSignOn section in the RuntimeConfig.xml file to True. This option is set to False by default.
DPAPI initially generates a strong key called a MasterKey, which is protected by the user's password. DPAPI uses a standard cryptographic process called Password-Based Key Derivation, described in the Password Based Encryption Standard (PKCS) #5, to generate a key from the password. This password-derived key is then used with Triple-DES to encrypt the MasterKey, which is finally stored in the user's profile directory.
The MasterKey, however, is not used explicitly to protect the data. Instead, a symmetric session key is generated based on the MasterKey, some random data, and an additional hard-coded entropy string that Pega provides. This session key is used to protect the data. The session key is never stored. Instead, DPAPI stores the random data it used to generate the key in the opaque data blob. When the data blob is passed back in to DPAPI, the random data is used to re-create the key and unprotect the data.
For security reasons, MasterKeys expire, which means that after a period of time -- the hard-coded value being three months -- a new MasterKey is generated and protected in the same manner. This expiration prevents an attacker from compromising a single MasterKey and accessing all of a user's protected data.
Can anyone view or decrypt stored credentials?
No. Only the user whose Windows identity was used to encrypt the data can decrypt it. Moreover, the additional entropy string supplied by Pega helps prevent other applications from decrypting the credential data.
Are the credentials encrypted in memory?
Yes. Credentials are encrypted in memory using a randomly generated entropy that is a valid only for the current Runtime session. Additionally all credentials values are stored with .NET SecureStrings to make sure they cannot be inspected in memory. For more information, see Encryption settings for Pega Robotic Automation.
Where is the software installed?
The Assisted Sign-On component is installed with Pega Robotic Automation Studio and Pega Robotic Automation Runtime. Pega Robotic Automation Studio is installed on developer desktops. Pega Robotic Automation Runtime is installed on Runtime user desktops.
How are passwords managed?
The Assisted Sign-On Component is used by Pega Robotic Automation Studio developers when they create automations which are then deployed to the end user desktop and executed by Runtime. Pega Robotic Automation Studio's automations run independently on each end user desktop and are not connected to a central management server following deployment. Developers can choose to enforce password management functions within their automations, but there is no server that centrally manages password rules.
How often does the user have to input their credentials?
The Assisted Sign-On component can persist credentials indefinitely. Developers, however, can choose to enforce password management functions within their automations, including periodically prompting for the re-entry or clearing of stored passwords. For instance, a developer can create an automation that initially prompts users for credentials the first time they log on. For subsequent logons, the automation automatically logs in the user until it detects that a login failed. Once a login has failed, the automation prompts the user to re-enter his or her credentials.
Does the software log who accessed credentials or who accessed the tool?
You can enable local logging of the Enterprise Runtime environment which will provide general log details. Credential information may be marked as sensitive and, if so, will not appear in the logs.
Is this software commonly deployed by other clients?
Yes. Pega has deployed this capability to several other clients. Implementation of the Assisted Sign-On component varies from account to account depending on their project requirements, internal security policies, and the infrastructure already in place.