Security considerations for HCL OneTest API

Ensure that your installation is secure, customize your security settings, and set up user access controls. Also, know about any security limitations that you might encounter with this application.

Privacy policy considerations

Depending on the configurations that are deployed, this software offering might use cookies that can help enable you to collect personally identifiable information. For information about this offerings use of cookies see the Notices topic.


Enabling security during installation

When installing HCL OneTest API, you do not have to enable, select, or configure any security options. After installing the application, the following points apply:

  • Security is based on each project instance.
  • If you create a project results database, the database access is configured within the project settings and uses the standard JDBC connection approach (see Configuring the project results database). This approach allows a user name and password to be specified. Depending on the vendor of the database used and the database driver support, security can be extended further, for example, with Kerberos.

Enabling secure communication between multiple applications

HCL OneTest API does not support single sign-on.

The IBM® Rational® Quality Manager adaptor of HCL OneTest API, which is hosted within the HCL OneTest API Agent process, specifies that a user name and password must be used to connect to Rational® Quality Manager. The password in the configuration file can be encrypted by using the EncryptPassword program supplied with HCL OneTest API. The connection is usually over HTTPS but the exact configuration of the connection depends on the configuration of Rational® Quality Manager.

In HCL OneTest API, you can also define a number of quality management settings for test management and defect management systems. See Quality Management settings.

Ports, protocols, and services

HCL OneTest API processes and tasks can be run by any user with appropriate privileges to access the required files.

Port 7883 is used for the Topology Discovery view. HCL OneTest API creates a TCP connection to the HCL® Quality Server on this port and periodically receives information about the resources that are observed by the proxies and intercepts.

Secure communication between HCL OneTest API and other applications

HCL OneTest API uses Transport Layer Security (TLS) secure communications between HCL OneTest API and any other third-party applications. For example, when you configure an HTTP physical transport and enable SSL, HCL OneTest API uses the highest available TLS protocol version (currently 1.3) to secure the communication.

Setting up user roles and access

In HCL OneTest API, there is no user creation or management. However, if Active Directory or LDAP permission settings are enabled for a project, user management is controlled through Active Directory or LDAP. See Permission settings.

Kerberos sign-on for project permissions

You can use Kerberos with Active Directory for project permissions authentication. To configure the project permissions to use Kerberos, you must provide the Kerberos realm and key distribution center to HCL OneTest API. You can provide this information in either the krb5.ini or krb5.config file, or by applying the following JVM arguments in the Library Manager:
On Microsoft Windows systems, these arguments are in the following environment variables:
  • REALM must be the value of USERDOMAIN.
  • KEY DISTRIBUTION CENTER must be the value of LOGONSERVER with any leading slashes removed (that is, DOMAIN_SERVER not \\DOMAIN_SERVER).
You can also add the following registry value:
  • allowtgtsessionkey must be a DWORD value with a value of 1.

On Microsoft Windows XP systems, add allowtgtsessionkey to the following variable:


On Microsoft Windows 2000, Windows Vista, and Windows 7 systems, add allowtgtsessionkey to the following variable:


Security limitations

Project resources contain passwords that are used to access middleware and databases. These passwords are stored in an obfuscated form that can be reversed. Therefore, the accounts should have only the minimum set of rights that are needed to interact with these resources for test execution or virtualization of services that use them.