Ensure that your installation is secure, customize your
security settings, and set up user access controls. Also, know about
any security limitations that you might encounter with this application.
Enabling security during
installation
When installing
IBM® Rational® Test Control Panel,
you have the following options:
- Choose to use the OSLC protocol.
- Choose the secure http connection protocol for other applications
to connect to IBM Rational Test Control Panel
- Select from a variety of user authentication options, including
a default built-in option, and Active Directory option, a Lightweight
Directory Access Protocol (LDAP) option, or no authentication (see Manage users.)
For Active Directory or LDAP, authentication is through a user name
and a password specified during the installation of Rational Test Control Panel.
If you already have access to an Active Directory or LDAP environment,
verify the access to Rational Test Control Panel by
logging into the environment and checking whether you can see the
pages. This verification process can be extended to see whether you
have standard or administrator privileges in Rational Test Control Panel.
IBM Rational Test Control Panel includes
an HTTP/TCP proxy, with SSL and a custom key pair/certificate for
the HTTPS proxy. You can replace the certificate by updating the existing
keystore that is referenced in the proxy’s configuration file
or by using a new one. See Modifying the configuration settings of the HTTP/TCP proxy.
For Rational Test Control Panel on
a Tomcat server, ensure that the Tomcat server is configured to deploy Rational Test Control Panel on
a secure HTTP (HTTPS) connection. This step is required so that passwords
are sent securely.
Enabling secure communication
between multiple applications
Rational Test Control Panel does
not support single sign-on.
Ports, protocols, and services
Port 7883 is used for the Topology Discovery view. Rational Integration Tester
creates a TCP connection to Rational Test Control Panel
on this port and periodically receives information about the resources that are observed
by the proxies and intercepts.
When you
use IBM Installation Manager
to install Rational Test Control Panel on Microsoft Windows systems, by default, Windows services are configured to run Rational Test Control Panel and
the HTTP/TCP proxy at startup but you can change this setting during
installation. These services are executed using the Local System account.
After the installation, use Windows Service
Control Manager to modify or disable the services.
All communications
with Rational Test Control Panel are
plain HTTP, and by default on port 7819 (see Network port numbers used by IBM Rational Test
Workbench components.) You can change the port number. You
can also change the configuration to use SSL.
Customizing your
security settings
Consider the following security options
in
Rational Test Control Panel:
- Customization of pages is not supported.
- No forms of notifications are supported.
- All successful and unsuccessful login attempts are stored in an
audit log, which Rational Test Control Panel administrators
can view on the Administration page.
- If the built-in user-authentication option is enabled, passwords
are hashed and stored in a way that is similar to the security on UNIX systems, and there is no way
to change this setting. See Manage users.
- Rational Test Control Panel supports
domain level security. Only Rational Test Control Panel system
administrators can enable and disable domain level security. See Enabling and disabling domain-level security.
Setting up user roles and access
In
Rational Test Control Panel,
users are either normal users or system administrators. When installing
Rational Test Control Panel,
you can choose either of these two user authentication methods to
configure server security:
- The built-in security option, where the default administrator
user that is created during installation uses the Administration page
in Rational Test Control Panel to
create additional users, and there are no rules for passwords.
- The Active Directory option or the LDAP option, where you map
the groups to the system administrator or normal user type.
Domain level security and tokens
Domain-level
security can be enabled to grant
Rational Test Control Panel users
access to specific domains and define the level of that access. Domain
administrators can assign
Rational Test Control Panel system
administrators and normal users to any of the following roles:
- Domain administrator
- Domain user
- Domain API user
When the domain level security is enabled, the agents
and proxies must be configured to enable registering with the domain.
The access to the secured domain for the agents and proxies can be
implemented by using security tokens.
In Rational Test Control Panel,
the security token is generated for a user. The generated security
token is then specified in the registration.xml file
(for proxy) and Agent.config file (for agent)
to enable access to the secured domain.
Security limitations
The
built-in security of Rational Test Control Panel is
used to store the user names and passwords as hashes in a file for
user authentication. Passwords for further remote access, for example,
when configuring access to a Rational Integration Tester project
results database, are stored in an obfuscated form. See Configuring the project results database for Rational Integration Tester.
In
versions of Rational Test Control Panel earlier
than 8.5.1.1, Apache Ant tasks and REST interface do not require authentication,
so actions that are done by using these interfaces are unsecure.
In Rational Test Control Panel 8.5.1.1
or later, domain level security can be enabled. When domain level
security is enabled, the REST API can be accessed only with a valid
security key. See Enabling and disabling domain-level security.