Default user administration
You installed IBM® Rational® Test Automation Server and you want to know about how the software manages user access.
Rational® Test Automation Server uses Keycloak V12.0.4 (https://www.keycloak.org/) to manage and authenticate users.
If you manage and authenticate users by using an LDAP and Active Directory server, you can configure Keycloak to connect to that server. For more information, see LDAP user administration.
Keycloak uses the concept of a realm to manage and authenticate users. When you install the server software, a realm called testserver is created for you in Keycloak. All server users belong to this realm and when they log in to the server, they log into that realm.
As an administrator, it is important to consider the following points about the server administration:
- By default, there is no administrator for Rational® Test Automation
Server.
Such an administrator is required for accessing additional functions, which includes claiming ownership of server projects and unarchiving them. But you can assign administrative privileges to any user. You must do this by adding the admin role to the user in Keycloak.
- You must sign up a user that you want to be the administrator. You must go to the Login page at
https://<fully-qualified-dns-name>:443
and sign up.Note: Do not use that admin user to perform non-administration tasks. Instead, sign up another user. - After you sign up the user that you want to be the administrator for Rational® Test Automation
Server, you must log in to the Keycloak Admin Console at
https://<fully-qualified-dns-name>:443/auth/admin/
to make that user the server administrator.The default user name for the Keycloak administrator iskeycloak
. The password is randomly generated when the software is installed. You can see the password by using the following kubectl command:kubectl get secret -n test-system
{my-rtas}
-keycloak-postgresql -o jsonpath="{.data.password}" | base64 --decode; echoNote: You must substitute{my-rtas}
with the release name that you used during the installation of the server software.After you log in to the Keycloak Admin Console, from the Users page, you can search and select the user that you want to make an administrator. From the Groups tab, you can join the user to the Admins group.
For more information about assigning user roles, see Groups in the Keycloak documentation.
Now that you are the server administrator, it is important to consider the following points about the default user management and authentication:
- Minimum password length defaults to 8 characters
- Email verification of new users is turned off
- The Forgot Password feature is turned on by default but no instructions are sent to the user to reset their password
- Forgotten user passwords are changed by you if you do not enable Keycloak to send instructions to reset a password
You can review the following sections about changing the default authentication controls.
Email settings
By default, the testserver realm sets the Forgot Password switch on. However, as an administrator, you must enable Keycloak to send an email to the user with instructions to reset their password. If you want to verify an email, you must also enable Keycloak to send an email to the user to verify their email address.
You must provide SMTP server settings for Keycloak to send an email. After you log in to the Keycloak Admin Console, see Email Settings in the Keycloak documentation.
Then, to set up the email verification, see Forgot Password in the Keycloak documentation.
Password policy
By default, the testserver realm has a password policy where the minimum length of a password is 8. As an administrator, you can update password policies in Keycloak.
After you log in to the Keycloak Admin Console, see Password Policies in the Keycloak documentation.
User password
If you did not enable Keycloak to send instructions to a user about how to reset a password, you must use the Keycloak Admin Console to change their password for them.
After you log in to the Keycloak Admin Console, see User Credentials in the Keycloak documentation.
User deletion
When a user is inactive or no longer needs to access the server, you can delete that user.
After you log in to the Keycloak Admin Console, see Deleting Users in the Keycloak documentation.