Security considerations for DevOps Test Integrations and APIs

Ensure that your installation is secure, customize your security settings, and set up user access controls in HCL DevOps Test Integrations and APIs (Test Integrations and APIs). Also, know about any security limitations that you might encounter with this application.

Privacy policy considerations

Depending on the configurations that are deployed, this software offering might use cookies that can help enable you to collect personally identifiable information. For information about this offerings use of cookies see the Notices topic.

Test Integrations and APIs

Enabling security during installation

When installing Test Integrations and APIs, you do not have to enable, select, or configure any security options. After installing the application, the following points apply:

  • Security is based on each project instance.
  • If you create a project results database, the database access is configured within the project settings and uses the standard JDBC connection approach (see Configuring the project results database). This approach allows a user name and password to be specified. Depending on the vendor of the database used and the database driver support, security can be extended further, for example, with Kerberos.

Enabling secure communication between multiple applications

Test Integrations and APIs does not support single sign-on.

The IBM® Engineering Test Management adaptor of Test Integrations and APIs, which is hosted within the Test Integrations and APIs Agent process, specifies that a user name and password must be used to connect to Rational® Quality Manager. The password in the configuration file can be encrypted by using the EncryptPassword program supplied with Test Integrations and APIs. The connection is usually over HTTPS but the exact configuration of the connection depends on the configuration of Rational® Quality Manager.

In Test Integrations and APIs, you can also define a number of quality management settings for test management and defect management systems. See Quality Management settings.

Ports, protocols, and services

Test Integrations and APIs processes and tasks can be run by any user with appropriate privileges to access the required files.

Port 7883 is used for the Topology Discovery view. Test Integrations and APIs creates a TCP connection to the Test Virtualization Control Panel on this port and periodically receives information about the resources that are observed by the proxies and intercepts.

Secure communication between Test Integrations and APIs and other applications

Test Integrations and APIs uses Transport Layer Security (TLS) secure communications between Test Integrations and APIs and any other third-party applications. For example, when you configure an HTTP physical transport and enable SSL, Test Integrations and APIs uses the highest available TLS protocol version (currently 1.3) to secure the communication.

Setting up user roles and access

In Test Integrations and APIs, there is no user creation or management. However, if Active Directory or LDAP permission settings are enabled for a project, user management is controlled through Active Directory or LDAP. See Permission settings.

Kerberos sign-on for project permissions

You can use Kerberos with Active Directory for project permissions authentication. To configure the project permissions to use Kerberos, you must provide the Kerberos realm and key distribution center to Test Integrations and APIs. You can provide this information in either the krb5.ini or krb5.config file, or by applying the following JVM arguments in the Library Manager:
  • -Djava.security.krb5.realm=REALM
  • -Djava.security.krb5.kdc=KEY DISTRIBUTION CENTER
On Microsoft Windows systems, these arguments are in the following environment variables:
  • REALM must be the value of USERDOMAIN.
  • KEY DISTRIBUTION CENTER must be the value of LOGONSERVER with any leading slashes removed (that is, DOMAIN_SERVER not \\DOMAIN_SERVER).
You can also add the following registry value:
  • allowtgtsessionkey must be a DWORD value with a value of 1.

On Microsoft Windows XP systems, add allowtgtsessionkey to the following variable:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos

On Microsoft Windows 2000, Windows Vista, and Windows 7 systems, add allowtgtsessionkey to the following variable:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Security limitations

Project resources contain passwords that are used to access middleware and databases. These passwords are stored in an obfuscated form that can be reversed. Therefore, the accounts should have only the minimum set of rights that are needed to interact with these resources for test execution or virtualization of services that use them.