September 17, 2014

Securing Surround SCM Client/Server Communication

Surround SCM
Helix ALM
Protecting your valuable digital property is extremely important. Encrypting client/server communication is one way to make sure your data is secure from potential hackers. Surround SCM 2014.1 introduces improved encryption methods and a new, stronger security option: RSA key exchange.

Configuring encryption and server security

Communication between Surround SCM clients and the Surround SCM Server should always be encrypted. At a minimum, make sure the Encrypt communication between clients and the server option is enabled in the global General server options.scmServerOptionsEncryptCommunication If you need stronger encryption, you can use RSA key exchange, which is a public key algorithm that uses separate keys for encryption and decryption. You may want to use RSA key exchange if:
  • Your organization stores sensitive information in Surround SCM.
  • Your network is potentially insecure.
  • Users log in to client applications from outside your network.
  • Users are authenticated to Surround SCM using LDAP, single sign-on, or external authentication.
To use RSA key exchange, select Use RSA key exchange in the global General server options. This generates the required public key that must be added to clients that connect to the server. Click Download Public Key File to download an XML file that includes the Surround SCM Server address, port number, and public key. Make sure to save the key file in a secure location. scmServerOptionsUseRSAKeyExchange

Adding the key to clients

After RSA key exchange is enabled, the public key must be added to server connections in clients so users can access Surround SCM. This process is slightly different for different client types. Distribute the key file to all users who use the Surround SCM Client or CLI. Client users must import the file to their server connection settings. For example, on the Surround SCM Login dialog box, click Setup. Select the server connection to add the public key to and click Edit. Click Import, select the key file, and click Open. Click OK to save the changes. scmEditServerConnection CLI users simply need to save the key file and enter the full path to it in the -z option with commands instead of entering the server connection information. If users use Surround SCM Web or proxy servers, only the Surround SCM administrator needs to import the key file using the Surround SCM Registry Utility. For example, click Web Options or Proxy Options in the registry utility and then click Import on the Server Options dialog box. Select the key file and click OK to save the changes. scmProxyAndWebServerOptions

Securing Seapine License Server communication

The same encryption and key exchange principles apply to the Seapine License Server. Always enable encryption to make sure communication is secure between the license server, admin utilities, API, and other Seapine product servers. To enable encryption and RSA for the license server, click Server Options in the license server admin utility and select the Server category.

More information

For more information about encryption and key exchange, see the following help topics: If you also use TestTrack, see our related blog post about securing TestTrack client/server communication.