Security considerations for Rational® Integration Tester

Ensure that your installation is secure, customize your security settings, and set up user access controls. Also, know about any security limitations that you might encounter with this application.

Privacy policy considerations

Depending on the configurations that are deployed, this software offering might use cookies that can help enable you to collect personally identifiable information. For information about this offerings use of cookies see the Notices topic.

Rational® Integration Tester

Enabling security during installation
Enabling secure communication between multiple applications
Ports, protocols, and services
Secure communication between Rational Integration Tester and other applications
Setting up user roles and access
Kerberos sign-on for project permissions
Security limitations

Enabling security during installation

When installing Rational® Integration Tester, you do not have to enable, select, or configure any security options. After installing the application, the following points apply:

Security is based on each project instance.
If you create a project results database, the database access is configured within the project settings and uses the standard JDBC connection approach (see Configuring the project results database). This approach allows a user name and password to be specified. Depending on the vendor of the database used and the database driver support, security can be extended further, for example, with Kerberos.

Enabling secure communication between multiple applications

Rational® Integration Tester does not support single sign-on.

The IBM® Rational® Quality Manager adaptor of Rational® Integration Tester, which is hosted within the Rational® Integration Tester Agent process, specifies that a user name and password must be used to connect to Rational® Quality Manager. The password in the configuration file can be encrypted by using the EncryptPassword program supplied with Rational® Integration Tester. The connection is usually over HTTPS but the exact configuration of the connection depends on the configuration of Rational® Quality Manager.

In Rational® Integration Tester, you can also define a number of quality management settings for test management and defect management systems. See Quality Management settings.

Ports, protocols, and services

Rational® Integration Tester processes and tasks can be run by any user with appropriate privileges to access the required files.

Port 7883 is used for the Topology Discovery view. Rational® Integration Tester creates a TCP connection to the Rational® Test Control Panel on this port and periodically receives information about the resources that are observed by the proxies and intercepts.

Secure communication between Rational® Integration Tester and other applications

Rational® Integration Tester uses Transport Layer Security (TLS) secure communications between Rational® Integration Tester and any other third-party applications. For example, when you configure an HTTP physical transport and enable SSL, Rational® Integration Tester uses the highest available TLS protocol version (currently 1.3) to secure the communication.

Setting up user roles and access

In Rational® Integration Tester, there is no user creation or management. However, if Active Directory or LDAP permission settings are enabled for a project, user management is controlled through Active Directory or LDAP. See Permission settings.

Kerberos sign-on for project permissions

You can use Kerberos with Active Directory for project permissions authentication. To configure the project permissions to use Kerberos, you must provide the Kerberos realm and key distribution center to Rational® Integration Tester. You can provide this information in either the krb5.ini or krb5.config file, or by applying the following JVM arguments in the Library Manager:

-Djava.security.krb5.realm=REALM
-Djava.security.krb5.kdc=KEY DISTRIBUTION CENTER

On Microsoft™ Windows™ systems, these arguments are in the following environment variables:

REALM must be the value of USERDOMAIN.
KEY DISTRIBUTION CENTER must be the value of LOGONSERVER with any leading slashes removed (that is, DOMAIN_SERVER not \\DOMAIN_SERVER).

You can also add the following registry value:

allowtgtsessionkey must be a DWORD value with a value of 1.

On Microsoft™ Windows™ XP systems, add allowtgtsessionkey to the following variable:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos

On Microsoft™ Windows™ 2000, Windows™ Vista, and Windows™ 7 systems, add allowtgtsessionkey to the following variable:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Security limitations

Project resources contain passwords that are used to access middleware and databases. These passwords are stored in an obfuscated form that can be reversed. Therefore, the accounts should have only the minimum set of rights that are needed to interact with these resources for test execution or virtualization of services that use them.