Security considerations for HCL OneTest™ API
Ensure that your installation is secure, customize your security settings, and set up user access controls. Also, know about any security limitations that you might encounter with this application.
Privacy policy considerations
Depending on the configurations that are deployed, this software offering might use cookies that can help enable you to collect personally identifiable information. For information about this offerings use of cookies see the Notices topic.
HCL OneTest™ API
Enabling security during installation
When installing HCL OneTest™ API, you do not have to enable, select, or configure any security options. After installing the application, the following points apply:
- Security is based on each project instance.
- If you create a project results database, the database access is configured within the project settings and uses the standard JDBC connection approach (see Configuring the project results database). This approach allows a user name and password to be specified. Depending on the vendor of the database used and the database driver support, security can be extended further, for example, with Kerberos.
Enabling secure communication between multiple applications
HCL OneTest™ API does not support single sign-on.
The IBM® Rational® Quality Manager adaptor of HCL OneTest™ API, which is hosted within the HCL OneTest™ API Agent process, specifies that a user name and password must be used to connect to Rational® Quality Manager. The password in the configuration file can be encrypted by using the EncryptPassword program supplied with HCL OneTest™ API. The connection is usually over HTTPS but the exact configuration of the connection depends on the configuration of Rational® Quality Manager.
In HCL OneTest™ API, you can also define a number of quality management settings for test management and defect management systems. See Permission settings.
Ports, protocols, and services
HCL OneTest™ API processes and tasks can be run by any user with appropriate privileges to access the required files.
Port 7883 is used for the Topology Discovery view. HCL OneTest™ API creates a TCP connection to the HCL® Quality Server on this port and periodically receives information about the resources that are observed by the proxies and intercepts.
Secure communication between HCL OneTest™ API and other applications
HCL OneTest™ API uses Transport Layer Security (TLS) secure communications between HCL OneTest™ API and any other third-party applications. For example, when you configure an HTTP physical transport and enable SSL, HCL OneTest™ API uses the highest available TLS protocol version (currently 1.3) to secure the communication.
Setting up user roles and access
In HCL OneTest™ API, there is no user creation or management. However, if Active Directory or LDAP permission settings are enabled for a project, user management is controlled through Active Directory or LDAP. See Permission settings.
Kerberos sign-on for project permissions
krb5.ini
or krb5.config
file,
or by applying the following JVM arguments in the Library Manager:-Djava.security.krb5.realm=
REALM-Djava.security.krb5.kdc=
KEY DISTRIBUTION CENTER
- REALM must be the value of
USERDOMAIN
. - KEY DISTRIBUTION CENTER must be the value of
LOGONSERVER
with any leading slashes removed (that is,DOMAIN_SERVER
not\\DOMAIN_SERVER
).
allowtgtsessionkey
must be aDWORD
value with a value of1
.
On Microsoft™
Windows™ XP systems, add
allowtgtsessionkey
to the following variable:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
On Microsoft™
Windows™ 2000, Windows™ Vista, and Windows™ 7 systems, add
allowtgtsessionkey
to the following variable:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Security limitations
Project resources contain passwords that are used to access middleware and databases. These passwords are stored in an obfuscated form that can be reversed. Therefore, the accounts should have only the minimum set of rights that are needed to interact with these resources for test execution or virtualization of services that use them.