Security considerations for Rational® Test Control Panel

You must ensure that your installation is secure, customize your security settings, and set up user access controls. Also, you must know about any security limitations that you might encounter with this server application.

Enabling security during installation

When installing Rational® Test Control Panel, you have the following options:
  • Select from a variety of user authentication options, including a default built-in option, an Active Directory option, a Lightweight Directory Access Protocol (LDAP) option, or no authentication (see Managing users.) For Active Directory or LDAP, authentication is through a user name and a password specified during the installation of Rational® Test Control Panel. If you already have access to an Active Directory or LDAP environment, verify the access to Rational® Test Control Panel by logging into the environment and checking whether you can see the pages. This verification process can be extended to see whether you have standard or administrator privileges in Rational® Test Control Panel.
    Important: When you install or upgrade Rational® Test Control Panel in console mode, you cannot choose Active Directory or Lightweight Directory Access Protocol (LDAP) for the security model. These options are available in the GUI version of the Installation Manager only. For information about how to configure Active Directory or LDAP after installing Rational® Test Control Panel (in GUI mode or in console mode), see Configuring the security settings after installation by updating the security.config file.

Rational® Test Control Panel includes an HTTP/TCP proxy, with SSL and a custom key pair/certificate for the HTTPS proxy. You can replace the certificate by updating the existing keystore that is referenced in the configuration file of the proxy or by using a new one. See Modifying the configuration settings of the HTTP/TCP proxy.

Enabling secure communication between multiple applications

Rational® Test Control Panel does not support single sign-on.

Ports, protocols, and services

Port 7883 is used for the Topology Discovery view. Rational® Integration Tester creates a TCP connection to the Rational® Test Control Panel on this port and periodically receives information about the resources that are observed by the proxies and intercepts.

When you use IBM® Installation Manager to install Rational® Test Control Panel on Microsoft Windows systems, by default, Windows services are configured to run Rational® Test Control Panel and the HTTP/TCP proxy at startup but you can change this setting during installation. These services are executed using the Local System account. After the installation, use Windows Service Control Manager to modify or disable the services.

All communications with Rational® Test Control Panel are by default HTTPS on port 5443 (see Network ports). You can change the port number after installation and also enable plain HTTP. For details, see Configuring the server HTTP Endpoint. The first time you create an Rational® Integration Tester project, the Rational® Test Control Panel URL defaults to https://localhost:5443/RTCP and the port value that you use for the creation of a project becomes the default value for all the new projects.

Customizing your security settings

Consider the following security options in Rational® Test Control Panel:
  • Customization of pages is not supported.
  • No forms of notifications are supported.
  • All successful and unsuccessful login attempts are stored in an audit log, which Rational® Test Control Panel administrators can view on the Administration page.
  • If the built-in user-authentication option is enabled, passwords are hashed and stored in a way that is similar to the security on Unix-like systems, and there is no way to change this setting. See Managing users.
  • Rational® Test Control Panel supports domain level security. Only Rational® Test Control Panel system administrators can enable and disable domain level security. See Enabling and disabling domain-level security.
  • The server by default provides a truststore. You can configure the server to use a custom truststore for server SSL connections. For details, see Using your own truststore for server SSL connections.

Setting up user roles and access

In Rational® Test Control Panel, users are either normal users or system administrators. When installing Rational® Test Control Panel, you can choose either of these two user authentication methods to configure server security:
  • The built-in security option, where the default administrator user that is created during installation uses the Administration page in Rational® Test Control Panel to create additional users, and there are no rules for passwords.
  • The Active Directory option or the LDAP option, where you map the groups to the system administrator or normal user type.
Note: Rational® Test Control Panel can be used as an authentication provider for Rational® Integration Tester project authentication, allowing users to use the same credentials when you log in to a project as when you log in to Rational® Test Control Panel. For more information about how to configure LDAP, see Modifying security model settings after installation

Domain level security and tokens

Domain-level security can be enabled to grant Rational® Test Control Panel users access to specific domains and define the level of that access. Domain administrators can assign Rational® Test Control Panel system administrators and normal users to any of the following roles:
  • Domain administrator
  • Domain user
  • Domain API user

When the domain level security is enabled, the agents and proxies must be configured to enable registering with the domain. The access to the secured domain for the agents and proxies can be implemented by using security tokens.

In Rational® Test Control Panel, the security token is generated for a user. The generated security token is then specified in the registration.xml file (for proxy) and Agent.config file (for agent) to enable access to the secured domain.

Security limitations

The built-in security of Rational® Test Control Panel is used to store the user names and passwords as hashes in a file for user authentication. Passwords for further remote access, for example, when configuring access to an Rational® Integration Tester project results database, are stored in an obfuscated form. See Configuring the project results database.

In versions earlier than 8.5.1.1, Apache Ant tasks and REST interface do not require authentication, so actions that are done by using these interfaces are unsecure.

In 8.5.1.1 or later, domain level security can be enabled. When domain level security is enabled, the REST API can be accessed only with a valid security key. See Enabling and disabling domain-level security.