Welcome
Managing Security
HCL DevOps Deploy (Deploy) uses a flexible team-based and role-based security model that maps to your organizational structure.
SSL configuration
With Secure Sockets Layer (SSL) technology, clients and servers can communicate securely by encrypting all communications. Data is encrypted before it is sent and decrypted by the recipient. This communication cannot be deciphered or modified by third-parties. In addition to encryption, SSL can also support authentication.
Certificate Expiration Enforcement and Auto-Rotation
You can configure the server and agents to mitigate the security risks associated with vulnerable agent certificate expiration dates.
Automatic rotation of agents certificate
You can configure the agents to generate new certificates periodically by enabling agent certificate auto-rotation.

Release Notes
This section includes what's new, defect fixes, and deprecations and removals in all releases.
System Requirements
This document includes information about the hardware, containers, prerequisite software, supported operating system, and database requirements with component level detail for the HCL DevOps Deploy (Deploy).
Getting Started
Quickly become productive with HCL DevOps Deploy (Deploy).
Installing
A HCL DevOps Deploy (Deploy) installation consists of a Deploy server, a database server, and at least one agent.
Upgrading and Migrating
Stay updated with latest features and functionalities by upgrading HCL DevOps Deploy (Deploy) server, agents, and relays. This section also provides instruction on how to migrate your Deploy instance.
Integrating
HCL DevOps Deploy (Deploy) supports integrations with other IBM® and HCL products, products from others, and certain cloud systems.
Administering
Learn how to administer settings in HCL DevOps Deploy (Deploy) elements and communication between the elements.
Managing Security
HCL DevOps Deploy (Deploy) uses a flexible team-based and role-based security model that maps to your organizational structure.
- Guidelines for setting up server security
  Although there is no single best way to set up security for the server, the following steps are sufficient in most cases.
- SSL configuration
  With Secure Sockets Layer (SSL) technology, clients and servers can communicate securely by encrypting all communications. Data is encrypted before it is sent and decrypted by the recipient. This communication cannot be deciphered or modified by third-parties. In addition to encryption, SSL can also support authentication.
  - Enabling server identity verification
    You can enable extra security to configure the agents to verify the identity of the server for communication that uses the HTTPS protocol.
  - Supported TLS and SSL protocols and ciphers
    HCL DevOps Deploy (Deploy) supports multiple SSL protocols and ciphers for communication among servers.
  - Enforcing the use of a security protocol or set of ciphers
    For security reasons, ensure that all SSL connections to and from the HCL DevOps Deploy (Deploy) server uses the TLSv1.2 protocol. To configure SSL globally, follow these instructions under jdk.tls.disabledAlgorithms here.
  - Configuring SSL on Apache Tomcat and LDAP servers
    The steps for configuring secure HTTPS connections with the HCL DevOps Deploy (Deploy) server are similar to the steps for any Java™ Platform, Enterprise Edition server.
  - Implementing custom trust stores
    A trust store defines the roots of the certificate trust chain. Typically, these are the certificate authority root certificates that sign other certificates. It can also be end entity certificates that are directly trusted. Java® includes a default trust store that contains certificate authority root certificates for many well-known authorities. This trust store is a file called cacerts and is contained in the Java installation. The file has the same format as a keystore, but it never contains a private key. It is possible to modify or replace this file to alter the trust roots with the keytool program. Otherwise, a custom trust store must be used instead.
  - Upgrading encryption key strength
    When you upgrade the server, you can upgrade the SSL encryption.
  - Keystores configuration
    Server, agents, and agent relays keystores are used for a secured web communication between servers and agents.
  - Certificate Expiration Enforcement and Auto-Rotation
    You can configure the server and agents to mitigate the security risks associated with vulnerable agent certificate expiration dates.
    - Automatic rotation of agents certificate
      You can configure the agents to generate new certificates periodically by enabling agent certificate auto-rotation.
    - Enforcing certificate expiration and setting certificate validity
      You must enforce the expiry of certificates and set their validity so that the server fails to communicate with the agents with expired certificates and the agents auto-rotate their certificates at a regular interval of time.
- Encryption key tools
  Using the encryption key tools, you can manage your encryption keys.
- Authorization realms
  Use the Authorization Realms pane to create authorization realms and user groups for the server. Groups can be imported from external systems, such as LDAP.
- Authentication realms
  Authentication realms manage users and determine user identity within authorization realms for the server.
- Roles and permissions
  A role is a list of permissions that users have on the HCL DevOps Deploy (Deploy) server. These permissions include the ability to create, edit, and delete objects, such as applications, environments, and components. The permission also includes the parts of the server interface that users can access.
- Secret stores
  You can store user credentials in Hashicorp Vault and integrate with HCL DevOps Deploy (Deploy) to retrieve values from the Vault.
- Security teams
  Users and groups on the server are assigned roles when they are added to teams.
- Security types
  Security types define categories of objects on the server. You can put all objects into a single category, or you can put them in separate categories and give roles different access rights to different categories.
- Tokens
  Tokens provide authorization for agents, agent relays, users, and external systems or applications from the server. Agents use tokens when they run process steps and communicate with the HCL DevOps Deploy (Deploy) server and external services.
Modeling Software Deployment
Modeling software deployment in HCL DevOps Deploy (Deploy) includes configuring components and component processes and adding those components to applications. Then, you use processes to deploy the components to environments.
Deploying
Learn how to deploy applications in HCL DevOps Deploy (Deploy).
Reporting
Provides several different deployment and security reports.
Extending Product Function
Learn how to extend the function of HCL DevOps Deploy (Deploy).
Troubleshooting and Support
Learn how to troubleshoot some common issues with HCL DevOps Deploy (Deploy).
Security Considerations
You can act to ensure that your installation is secure and set up user access controls.

Automatic rotation of agents certificate

You can configure the agents to generate new certificates periodically by enabling agent certificate auto-rotation.

You can configure agents to generate a new key pair and certificate automatically by using any of the following methods:

The bulkSetAgentKeypairPolicy udclient command for generating the key pair of agents in bulk.
The setAgentKeypairPolicy udclient command for generating the key pair of a specific agent. Alternatively, you can add the following parameter to the agent's installed.properties file:
```
agentcomm.keypair.maxAgeDays=90
```
The agentcomm.keypair.maxAgeDays property defines the validity of the certificate in days. The minimum allowed value is 90 days.
Note: You must restart the agent if you are editing the agent's installed.properties file.

After you define the agents' maxAgeDays property, the agents are configured to automatically rotate their certificates. The agents will attempt to rotate their certificate 30 days before they expire. For example, if you have set the agents' maxAgeDays property as 90, the agents will attempt to rotate their key pair after 60 days.

Important: The unupgraded agents and agents that are often offline intentionally do not rotate certificates or might not rotate certificates promptly. You must ensure that you upgrade and start such agents once before their expiry to rotate their certificates automatically.

Notes:

The certificate rotation does not interfere with any running deployment process.
You can verify that the agents have rotated the certificate as configured from the agent's Agent Security page.