Security considerations for HCL OneTest Server

For HCL OneTest Server, you can take actions to ensure that your installation is secure, customize your security settings, and set up user access controls.

Enabling secure communication between multiple applications

The majority of communications are sent over TLS to port 443 (see Ports, protocols, and services). During the installation, an X.509 certificate is generated for the user provided DNS name, which is used to connect to the server. This certificate is self-signed and hence untrusted by other applications.

This self-signed certificate must be replaced by a certificate signed by a certificate authority trusted by your organization. For more information, see X.509 Certificate User Authentication in the Keycloak documentation.

For information about how the self-signed certificate was created, see the file in the <install-directory>/prepare/ directory.

Ports, protocols, and services

TCP port 443 is used by the majority of communications with the server.

TCP port 7085+ is used by test execution agents to poll for work.

Customizing your security settings

You can customize your security settings through user registration.

User registration

By default, users can sign up themselves with the server. In some environments, this self sign-up might be undesirable. It can be changed by switching off user registration. For more information, see User Registration in the Keycloak documentation.

By default, user email addresses are not verified. This verification must be enabled in production environments. For more information, see Email settings.

Setting up user roles and access

You can manage user roles and access through single sign on (SSO) and administration only accounts.

Single sign-on

By default, Keycloak manages users and passwords locally. In production environments, it is normally appropriate to use single sign-on. For more information, see LDAP user administration.

Administration only accounts

Users in the Administrator group can discover all projects stored on the server (including private ones) and assign themselves and others roles in those projects.

For this reason, users who use the server to perform both administration and non-administration tasks must have two different accounts, one for each purpose. For more information, see Default user administration.