Security Considerations

This document describes the actions that you can take to ensure that your installation is secure, customize your security settings, and set up user access controls.

Enabling secure communication between multiple applications

The majority of communications are sent over TLS to port 443 (see Ports, protocols, and services). During the installation, an X.509 certificate is generated for the user provided DNS name, which is used to connect to the server. This certificate is self-signed and hence untrusted by other applications.

This self-signed certificate must be replaced by a certificate signed by a certificate authority trusted by your organization. For more information, see X.509 Certificate User Authentication in the Keycloak documentation.

For information about how the self-signed certificate was created, see the ssl.sh file in the <install-directory>/prepare/ directory.

Ports, protocols, and services

TCP port 443 is used by the majority of communications with the server.

The port 7085 is the default port for communications with agents registered with Rational® Test Automation Server.

The ports starting from 7085, are used in pairs such as 7085 and 7086, and are allotted for the Schedule that is executed first. The next Schedule is allotted the next pair (7087,7088), and so on for the Schedules that are running simultaneously.

You must open the required ports in pairs for each of the Schedules that you want to run simultaneously.

Customizing your security settings

You can customize your security settings through user registration.

User registration

By default, users can sign up themselves with the server. In some environments, this self sign-up might be undesirable. It can be changed by switching off user registration. For more information, see User Registration in the Keycloak documentation.

By default, user email addresses are not verified. This verification must be enabled in production environments. For more information, see Email settings.

Setting up user roles and access

You can manage user roles and access through single sign on (SSO) and administration only accounts.

Single sign-on

By default, Keycloak manages users and passwords locally. In production environments, it is normally appropriate to use single sign-on. For more information, see LDAP user administration.

Administration only accounts

Users in the Administrator group can discover all projects stored on the server (including private ones) and assign themselves and others roles in those projects.

For this reason, users who use the server to perform both administration and non-administration tasks must have two different accounts, one for each purpose. For more information, see Default user administration.