Security Considerations
This document describes the actions that you can take to ensure that your installation is secure, customize your security settings, and set up user access controls.
- Enabling secure communication between multiple applications
- Ports, protocols, and services
- Customizing your security settings
- Setting up user roles and access
Enabling secure communication between multiple applications
This self-signed certificate must be replaced by a certificate signed by a certificate authority trusted by your organization. For more information, see X.509 Certificate User Authentication in the Keycloak documentation.
For information about how the self-signed certificate was created, see the ssl.sh
file in the
<install-directory>/prepare/
directory.
Ports, protocols, and services
TCP port 443 is used by the majority of communications with the server.
The port 7085 is the default port for communications with agents registered with HCL OneTest™ Server.
The ports starting from 7085, are used in pairs such as 7085 and 7086, and are allotted for the Schedule that is executed first. The next Schedule is allotted the next pair (7087,7088), and so on for the Schedules that are running simultaneously.
You must open the required ports in pairs for each of the Schedules that you want to run simultaneously.
Customizing your security settings
User registration
By default, users can sign up themselves with the server. In some environments, this self sign-up might be undesirable. It can be changed by switching off user registration. For more information, see User Registration in the Keycloak documentation.
By default, user email addresses are not verified. This verification must be enabled in production environments. For more information, see Email settings.
Setting up user roles and access
Single sign-on
By default, Keycloak manages users and passwords locally. In production environments, it is normally appropriate to use single sign-on. For more information, see LDAP user administration.
Administration only accounts
Users in the Administrator group can discover all projects stored on the server (including private ones) and assign themselves and others roles in those projects.
For this reason, users who use the server to perform both administration and non-administration tasks must have two different accounts, one for each purpose. For more information, see Default user administration.