Helix ALM Security Best Practices
Use the following best practices to keep your Helix ALM and Helix ALM License Server data secure. Implementing these practices can help you avoid common mistakes that could leave your data vulnerable to theft, damage, or loss.
Note: Best practices for securing Surround SCM data are similar. If you also use it, see the
Use the following information to properly manage and secure the Helix ALM Server and license server.
Helix ALM clients exchange data with the Helix ALM Server, which also exchanges data with the license server and any other Helix ALM applications you use. To keep your data secure,
Note: The OpenSSL version used by Helix ALM is displayed with the
To encrypt license server communication, select Encrypt communication between the license server and other applications in the server options in the Helix ALM License Server Admin Utility.
Note: These options do not affect login credentials sent from Helix ALM web clients to the Helix ALM Server and license server. To encrypt communication between browsers and the CGI, configure HTTPS on your web server.
You can also use RSA key exchange on the Helix ALM Server and license server if your network is potentially insecure or any users access client applications outside your network using a username and password. RSA is a public encryption algorithm that uses separate keys for encryption and decryption, which helps prevent man-in-the-middle attacks where a hacker intercepts or alters communication between clients and servers. See Securing communication between clients and servers for information.
When RSA key exchange is enabled, public and private key files are generated and clients can only connect to the server when the correct key is exchanged. The key files remain on the server hard drive. Download the server settings XML file to a secure location and distribute it to authorized users so they can import the public key fingerprint in client applications used to connect to the
Tip: Update security permissions on the RSA key files to better protect them. Only the server needs read and modify access to the private and public key files on the server computer. All users need read access to the downloaded server settings file, but only administrative users should have access to modify it. See the operating system help for information about file security.
Set a license server communications password to secure communication between the license server and other Helix ALM product servers, and prevent unauthorized servers from using licenses. To set the communications password, enter and confirm the password in the server options in the license server admin utility.
After the communications password is set, you must also
If users do not connect to Helix ALM from outside your network, configure a firewall and network address translation (NAT) to separate the Helix ALM Server and license server from the internet. Any server exposed to the internet is vulnerable to hackers who can destroy data, encrypt data and hold it for ransom, or exploit your company’s products. The specific security measures needed depend on your network configuration. Ask your network administrator for help.
In the Helix ALM Registry Utility, configure server security options to control access to Helix ALM data from external source control providers. These options can help prevent hackers from decrypting provider keys for external source control provider integration and automatically disable access and reject requests from clients after failed access attempts.
The following screenshots show the Helix ALM Server and license server logs.
You can also
Make sure you always use the most recent Helix ALM version. Upgrading when a new version is available not only provides you with the newest features, but could also provide additional security options not available in earlier versions.
Make sure to also review any new RDBMS updates and security patches. Installing these updates keeps your RDBMS running with the necessary features to meet current security standards. See the RDBMS help for information.
Web server management
Use the following information to secure the web server that hosts
Encryption options in the Helix ALM Server and license server admin utilities only secure data that passes between desktop clients and server applications. Login credentials sent from web clients to the Helix ALM Server and license server are not encrypted. If users access Helix ALM Web from outside your network, configure HTTPS on the web server that hosts it to encrypt communication between browsers and the CGI. See the web server help for information about HTTPS.
Clickjacking can occur when hackers use transparent frames or iframes to embed content in web pages to trick users into clicking buttons or hyperlinks on a different web page in another domain or application. To protect your data and prevent clickjacking in
Use the following information to secure Helix ALM and license server databases.
Helix ALM clients and the license server admin utility do not need write access to database files because they pass data through the server applications. Restrict access to database files to prevent users or other processes from modifying or deleting data.
If your data is hosted in native SQLite databases, only the Helix ALM Server and license server processes need write access to database files. If your data is hosted in PostgreSQL, Oracle, or SQL Server, only the database server process needs write access to database files. See the operating system help for information about configuring file security for SQLite files or ask your DBA for help with security for RDBMS files.
Always back up your data regularly. Nightly backups ensure data loss is minimal if a virus attack, hardware failure, or malicious activity occurs.
Make sure to back up the license server database,
Tip: Use the Helix ALM Native Database Backup Utility to back up Helix ALM native (SQLite) project databases without stopping the Helix ALM Server. See Backing Up Native Project Databases for information.
Data loss can occur due to virus attacks, hard drive failures, or file system corruption. Take the following measures to prevent data corruption on computers that host the Helix ALM Server, license server, and the server and
- Use an uninterruptible power supply (UPS).
- Make sure the hard drive is properly maintained and in good condition.
- If you need to shut down the computer, make sure it is done correctly.
Note: If you think your data files are corrupt, contact Perforce Support immediately. Data is recoverable in most instances. A corrupt database may lead to an extended amount of down time. If a database backup is not available, you may have to send your data files to Perforce for in-house data recovery.
Use the following information to efficiently manage user access to Helix ALM clients and the license server admin utility.
Default administrative user and local admin user passwords are set on the Helix ALM Server during installation. The default administrative user (Administrator) lets you log in to Helix ALM for the first time to
To change the administrative password,
Note: The default Administrator account is a global user shared between the license server, Helix ALM, and Surround SCM. Password changes for this account in Helix ALM also affect the default login credentials for the license server admin utility and Surround SCM.
Passwords are one of the easiest ways to protect against unauthorized access. Many users choose weak passwords. Make sure your team uses industry-standard methods to create strong passwords. Effective passwords should:
- Be a minimum of eight characters
- Use mixed case and a combination of alphanumeric characters and punctuation
- Not contain personal information or elements of the username
- Not be real words or patterns of letters on a keyword
- Not follow the pattern of previous passwords
- Be easy to remember but difficult to guess
Configure password requirements, such as minimum password length and required character types, in the license server admin utility to force users to set strong passwords.
Note: These requirements only affect users stored on the license server. Password restrictions for LDAP and Active Directory users are configured on the corresponding server. See the LDAP or Active Directory server help for information about setting password restrictions.
Security groups control user access to Helix ALM actions. A user only has access to perform actions based on the enabled commands for the security group they are assigned to. Carefully consider the access users in different roles need and
Tip: If you use the Helix ALM SDK, create a dedicated SOAP user and assign it to a security group that only has security commands enabled for actions performed by the application that uses SDK. For example, select the Allow Login Via SOAP command and clear other login commands.