July 22, 2014

Keeping the Hackers Out – Securing Client/Server Communication

Helix ALM
Helix ALM
Keeping your data secure to protect your company’s intellectual property is top priority. Encrypting client/server communication is one way to help ensure your data is safe from eavesdropping by hackers. TestTrack and Seapine License Server 2014.1 improve existing encryption methods and introduce a new, stronger option: RSA key exchange.

Securing TestTrack communication

Communication between TestTrack clients and the TestTrack Server should always be encrypted. At a bare minimum, make sure the Encrypt communication between clients and the server option is enabled in the Security server options in the TestTrack Server Admin Utility. TestTrack Server security options - basic encryption If your network is potentially insecure and you need stronger encryption, you can use RSA key exchange. RSA is a public key encryption algorithm that uses separate keys for encryption and decryption.* You may want to use RSA if:
  • Your organization stores sensitive information in TestTrack.
  • Your network is potentially insecure.
  • Users log in to client applications from outside your network.
  • Users are authenticated to TestTrack using LDAP, single sign-on, or external authentication.
Using RSA does require native client users to do a little bit of work, but we’ll get to that in a minute. To use RSA key exchange, in the TestTrack Server Admin Utility, make sure Encrypt communication between clients and the server is selected and then select Use RSA key exchange. TestTrack Server security - RSA encryption   Next, click Download Public Key File to download a file that contains the TestTrack Server address, port number, and public key. Select a location and enter a file name, and click Save to save the file. Make sure you save the file in a secure location. Here’s the important part. The public key must be added to any TestTrack clients that connect to the server. Distribute the key file to all users who use the native TestTrack Client, add-ins, and native TestTrack Server Admin Utility. Users must import the key file to their server connection settings. For example, in TestTrack, click Setup on the login dialog box, select the server, and click Edit. Click Import in the Edit TestTrack Server dialog box, select the key file, and click Open. Click OK to save the changes. TestTrack Server connection settings   If users use TestTrack web clients, only the TestTrack administrator needs to import the key file using the TestTrack Registry Utility on the TestTrack Server. In the registry utility, click CGI Options. In the Default TestTrack Server area, click Import, select the key file, and click Open. Click OK to save the changes. TestTrack Registry Utility CGI settings   If you ever suspect the private key on the TestTrack Server is compromised, you can easily regenerate the keys, download the new key file, and import it to clients.

Securing Seapine License Server communication

The same encryption and key exchange principles apply to the Seapine License Server. Always enable encryption to make sure communication is secure between the license server, admin utilities, API, and other Seapine product servers. If you need stronger encryption, you can use RSA key exchange. To enable encryption and RSA for the license server, in the license server admin utility, click Server Options and select the Server category.

More information

For more information about encryption and key exchange, see the following help topics. TestTrack:Seapine License Server: ----- *If you’re curious about the technical details, here’s how RSA works: the client application generates a random, 256-bit secret key and encrypts it with the server’s public key. The server hashes the secret key and signs the hash with its private key. The private key is only stored on the server hard drive and never leaves the server. To compromise the secret key or impersonate the server, a hacker must know the server’s private key or substitute their own public key in client applications.